Weak Password Storage in Desigo DXR2 and PXC Series by Siemens
CVE-2022-24041

6.5MEDIUM

Key Information:

Vendor: Siemens
Status: Desigo Dxr2; Desigo Pxc3; Desigo Pxc4; Desigo Pxc5
Vendor: CVE Published:; 10 May 2022

Summary

A security issue has been discovered in Siemens Desigo DXR2 and PXC series products, where user password hashes are stored with insufficient iterations in PBKDF2. This allows users with profile access privileges to retrieve password hashes from other accounts, making it feasible for an attacker to conduct offline password cracking. Consequently, plaintext passwords of other users can be exposed, posing a significant risk to the security of user accounts.

Affected Version(s)

Desigo DXR2 All versions < V01.21.142.5-22

Desigo PXC3 All versions < V01.21.142.4-18

Desigo PXC4 All versions < V02.20.142.10-10884

References

https://cert-portal.siemens.com/productcert/pdf/ssa-62696...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 10, 2022
Vulnerability Reserved
Jan 27, 2022