Username Enumeration Vulnerability in Siemens Desigo Products
CVE-2022-24043

5.3MEDIUM

Key Information:

Vendor: Siemens
Status: Desigo Dxr2; Desigo Pxc3; Desigo Pxc4; Desigo Pxc5
Vendor: CVE Published:; 20 May 2022

Summary

A vulnerability has been identified in Siemens' Desigo product line, affecting multiple versions of the DXR2, PXC3, PXC4, and PXC5 models. The issue arises from improper normalization of response times during login attempts, allowing a remote unauthenticated attacker to distinguish between successful and failed login attempts based on their timing. This could facilitate a username enumeration attack, enabling attackers to ascertain valid usernames and potentially facilitating further attacks on the system.

Affected Version(s)

Desigo DXR2 All versions < V01.21.142.5-22

Desigo PXC3 All versions < V01.21.142.4-18

Desigo PXC4 All versions < V02.20.142.10-10884

References

https://cert-portal.siemens.com/productcert/pdf/ssa-62696...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 20, 2022
Vulnerability Reserved
Jan 27, 2022