Details of VAR-201612-0415

ID

VAR-201612-0415

CVE

CVE-2016-9154

TITLE

Siemens Desigo PX For automation controllers Desigo PX Web Vulnerability of reconfiguring corresponding private key in module

Trust: 0.8

sources: JVNDB: JVNDB-2016-006497

DESCRIPTION

Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key. The SIEMENS building automation system Desigo PX programmable automation station provides a flexible solution that can issue alarm signals, time-based logging procedures and trends, and can be modified or expanded at any time. Remote attackers can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. This aids in other attacks. This could allow the attacker to gain unauthorized access to the system. PXA40-W0 etc. are the room operation unit modules. The following modules are affected: PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX Automation Controllers, PXC00-ED, PXC50-ED, PXC100-ED, PXC200-ED System Controllers; PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automatic controller, PXC00-U, PXC64-U, PXC128-U system controller

Trust: 2.52

sources: NVD: CVE-2016-9154 // JVNDB: JVNDB-2016-006497 // CNVD: CNVD-2016-12572 // BID: 94962 // VULHUB: VHN-97974

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-12572

AFFECTED PRODUCTS

vendor:	siemens	model:	desigo web module pxa30-w1	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo web module pxa40-w2	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo web module pxa30-w0	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo web module pxa40-w0	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo web module pxa40-w1	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo web module pxa30-w2	scope:	lte	version:	6.00.00	Trust: 1.0
vendor:	siemens	model:	desigo px pxa30-w0	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa30-w0	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	desigo px pxa30-w1	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa30-w1	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	desigo px pxa30-w2	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa30-w2	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w0	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w0	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w1	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w1	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w2	scope:	-	version:	-	Trust: 0.8
vendor:	siemens	model:	desigo px pxa40-w2	scope:	lt	version:	6.00.046	Trust: 0.8
vendor:	siemens	model:	pxa40-w0 for pxc00-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w1 for pxc00-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w2 for pxc00-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w0 for pxc50-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w1 for pxc50-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w2 for pxc50-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w0 for pxc100-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w1 for pxc100-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w2 for pxc100-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w0 for pxc200-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w1 for pxc200-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa40-w2 for pxc200-e.d	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w0 for pxc00-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w1 for pxc00-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w2 for pxc00-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w0 for pxc64-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w1 for pxc64-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w2 for pxc64-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w0 for pxc128-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w1 for pxc128-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	pxa30-w2 for pxc128-u	scope:	lt	version:	6.00.046	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa40-w0	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa40-w1	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa30-w1	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa40-w2	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa30-w2	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo web module pxa30-w0	scope:	eq	version:	6.00.00	Trust: 0.6
vendor:	siemens	model:	desigo px pxa40-w2	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa40-w1	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa40-w0	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w2px	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w1	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w0	scope:	eq	version:	0	Trust: 0.3
vendor:	siemens	model:	desigo px pxa40-w2	scope:	ne	version:	6.0.46	Trust: 0.3
vendor:	siemens	model:	desigo px pxa40-w1	scope:	ne	version:	6.0.46	Trust: 0.3
vendor:	siemens	model:	desigo px pxa40-w0	scope:	ne	version:	6.0.46	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w2px	scope:	ne	version:	6.0.46	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w1	scope:	ne	version:	6.0.46	Trust: 0.3
vendor:	siemens	model:	desigo px pxa30-w0	scope:	ne	version:	6.0.46	Trust: 0.3

sources: CNVD: CNVD-2016-12572 // BID: 94962 // JVNDB: JVNDB-2016-006497 // CNNVD: CNNVD-201612-580 // NVD: CVE-2016-9154

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-9154
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-9154
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-12572
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201612-580
value:	HIGH
Trust: 0.6
VULHUB:	VHN-97974
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-9154
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-12572
severity:	MEDIUM
baseScore:	5.4
vectorString:	AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	4.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-97974
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-9154
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2016-12572 // VULHUB: VHN-97974 // JVNDB: JVNDB-2016-006497 // CNNVD: CNNVD-201612-580 // NVD: CVE-2016-9154

PROBLEMTYPE DATA

problemtype:

CWE-332

Trust: 1.9

sources: VULHUB: VHN-97974 // JVNDB: JVNDB-2016-006497 // NVD: CVE-2016-9154

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201612-580

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201612-580

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006497

PATCH

title:	SSA-856492	url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdf	Trust: 0.8
title:	Patch for SIEMENS Desigo PX Web module pseudo-random number generation has insufficient entropy vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/86124	Trust: 0.6
title:	Desigo PX Web Modules Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66607	Trust: 0.6

sources: CNVD: CNVD-2016-12572 // JVNDB: JVNDB-2016-006497 // CNNVD: CNNVD-201612-580

EXTERNAL IDS

db:	NVD	id:	CVE-2016-9154	Trust: 3.4
db:	ICS CERT	id:	ICSA-16-355-01	Trust: 2.8
db:	SIEMENS	id:	SSA-856492	Trust: 2.6
db:	BID	id:	94962	Trust: 2.6
db:	JVNDB	id:	JVNDB-2016-006497	Trust: 0.8
db:	CNNVD	id:	CNNVD-201612-580	Trust: 0.7
db:	CNVD	id:	CNVD-2016-12572	Trust: 0.6
db:	VULHUB	id:	VHN-97974	Trust: 0.1

sources: CNVD: CNVD-2016-12572 // VULHUB: VHN-97974 // BID: 94962 // JVNDB: JVNDB-2016-006497 // CNNVD: CNNVD-201612-580 // NVD: CVE-2016-9154

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-16-355-01	Trust: 2.8
url:	http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdf	Trust: 2.6
url:	http://www.securityfocus.com/bid/94962	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-9154	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-9154	Trust: 0.8
url:	http://www.siemens.com/	Trust: 0.3

sources: CNVD: CNVD-2016-12572 // VULHUB: VHN-97974 // BID: 94962 // JVNDB: JVNDB-2016-006497 // CNNVD: CNNVD-201612-580 // NVD: CVE-2016-9154

CREDITS

Marcella Hastings, Joshua Fried and Nadia Heninger from the University of Pennsylvania

Trust: 0.3

sources: BID: 94962

SOURCES

db:	CNVD	id:	CNVD-2016-12572
db:	VULHUB	id:	VHN-97974
db:	BID	id:	94962
db:	JVNDB	id:	JVNDB-2016-006497
db:	CNNVD	id:	CNNVD-201612-580
db:	NVD	id:	CVE-2016-9154

LAST UPDATE DATE

2025-04-13T23:38:58.412000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2016-12572	date:	2016-12-19T00:00:00
db:	VULHUB	id:	VHN-97974	date:	2019-10-09T00:00:00
db:	BID	id:	94962	date:	2017-01-12T00:03:00
db:	JVNDB	id:	JVNDB-2016-006497	date:	2017-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201612-580	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2016-9154	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2016-12572	date:	2016-12-19T00:00:00
db:	VULHUB	id:	VHN-97974	date:	2016-12-23T00:00:00
db:	BID	id:	94962	date:	2016-12-19T00:00:00
db:	JVNDB	id:	JVNDB-2016-006497	date:	2017-01-05T00:00:00
db:	CNNVD	id:	CNNVD-201612-580	date:	2016-12-19T00:00:00
db:	NVD	id:	CVE-2016-9154	date:	2016-12-23T05:59:00.593