Sign-up

ID

VAR-202205-0566


CVE

CVE-2022-24044


TITLE

Multiple Siemens Products Improperly Limiting Excessive Authentication Attempts Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2022-010189

DESCRIPTION

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account. desigo dxr2 firmware, desigo pxc3 firmware, desigo pxc4 Multiple Siemens products, including firmware, are vulnerable to improper restrictions on excessive authentication attempts.Information may be obtained. Desigo DXR2 controllers are programmable automation stations to support the standard control needs of terminal HVAC equipment and TRA (Total Room Automation) applications. The Desigo PXC3 series of automation stations can be used in buildings where functionality and flexibility are required. Use Desigo room automation when multiple specialties (HVAC, lighting, shading) are combined into one solution, and when a high degree of flexibility is required. The Desigo PXC4 building automation controller is designed for HVAC system control. It is a compact device with built-in IOs that can be expanded to your needs with additional TX-IO modules. The Desigo PXC5 is a freely programmable controller for BACnet system-level functions such as alarm routing, system-wide scheduling and trending, and device monitoring. Siemens Desigo PXC and DXR Devices

Trust: 2.25

sources: NVD: CVE-2022-24044 // JVNDB: JVNDB-2022-010189 // CNVD: CNVD-2022-37375 // VULMON: CVE-2022-24044

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-37375

AFFECTED PRODUCTS

vendor:siemensmodel:desigo pxc4scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo pxc3scope:ltversion:01.21.142.4-18

Trust: 1.0

vendor:siemensmodel:desigo pxc5scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo dxr2scope:ltversion:01.21.142.5-22

Trust: 1.0

vendor:シーメンスmodel:desigo dxr2scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc4scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc5scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc3scope: - version: -

Trust: 0.8

vendor:siemensmodel:desigo pxc5scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc4scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc3scope:ltversion:v01.21.142.4-18

Trust: 0.6

vendor:siemensmodel:desigo dxr2scope:ltversion:v01.21.142.5-22

Trust: 0.6

sources: CNVD: CNVD-2022-37375 // JVNDB: JVNDB-2022-010189 // NVD: CVE-2022-24044

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-24044
value: HIGH

Trust: 1.0

NVD: CVE-2022-24044
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-37375
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202205-2985
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2022-24044
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-37375
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-24044
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-24044
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-37375 // JVNDB: JVNDB-2022-010189 // CNNVD: CNNVD-202205-2985 // NVD: CVE-2022-24044

PROBLEMTYPE DATA

problemtype:CWE-307

Trust: 1.0

problemtype:Inappropriate limitation of excessive authentication attempts (CWE-307) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-010189 // NVD: CVE-2022-24044

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2985

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-2985

PATCH

title:Patch for Unknown Vulnerability in Siemens Desigo PXC and DXR Devices (CNVD-2022-37375)url:https://www.cnvd.org.cn/patchInfo/show/332646

Trust: 0.6

title:Multiple Siemens Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194581

Trust: 0.6

sources: CNVD: CNVD-2022-37375 // CNNVD: CNNVD-202205-2985

EXTERNAL IDS

db:NVDid:CVE-2022-24044

Trust: 3.9

db:SIEMENSid:SSA-626968

Trust: 3.0

db:ICS CERTid:ICSA-22-132-10

Trust: 1.5

db:JVNid:JVNVU92977068

Trust: 0.8

db:JVNDBid:JVNDB-2022-010189

Trust: 0.8

db:CNVDid:CNVD-2022-37375

Trust: 0.6

db:AUSCERTid:ESB-2022.2349

Trust: 0.6

db:CS-HELPid:SB2022051124

Trust: 0.6

db:CNNVDid:CNNVD-202205-2985

Trust: 0.6

db:VULMONid:CVE-2022-24044

Trust: 0.1

sources: CNVD: CNVD-2022-37375 // VULMON: CVE-2022-24044 // JVNDB: JVNDB-2022-010189 // CNNVD: CNNVD-202205-2985 // NVD: CVE-2022-24044

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf

Trust: 2.4

url:https://jvn.jp/vu/jvnvu92977068/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-24044

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-10

Trust: 0.8

url:https://cert-portal.siemens.com/productcert/html/ssa-626968.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2349

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-132-10

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051124

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-24044/

Trust: 0.6

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-10

Trust: 0.1

sources: CNVD: CNVD-2022-37375 // VULMON: CVE-2022-24044 // JVNDB: JVNDB-2022-010189 // CNNVD: CNNVD-202205-2985 // NVD: CVE-2022-24044

CREDITS

reported these vulnerabilities to CISA.,Andrea Palanca, of Nozomi Networks

Trust: 0.6

sources: CNNVD: CNNVD-202205-2985

SOURCES

db:CNVDid:CNVD-2022-37375
db:VULMONid:CVE-2022-24044
db:JVNDBid:JVNDB-2022-010189
db:CNNVDid:CNNVD-202205-2985
db:NVDid:CVE-2022-24044

LAST UPDATE DATE

2024-11-23T21:50:29.744000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-37375date:2022-05-16T00:00:00
db:JVNDBid:JVNDB-2022-010189date:2023-08-10T08:26:00
db:CNNVDid:CNNVD-202205-2985date:2022-06-02T00:00:00
db:NVDid:CVE-2022-24044date:2024-11-21T06:49:43.270

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-37375date:2022-05-16T00:00:00
db:JVNDBid:JVNDB-2022-010189date:2023-08-10T00:00:00
db:CNNVDid:CNNVD-202205-2985date:2022-05-11T00:00:00
db:NVDid:CVE-2022-24044date:2022-05-20T13:15:14.547