Sign-up

ID

VAR-202205-0567


CVE

CVE-2022-24045


TITLE

Vulnerabilities in multiple Siemens products

Trust: 0.8

sources: JVNDB: JVNDB-2022-010188

DESCRIPTION

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information. desigo dxr2 firmware, desigo pxc3 firmware, desigo pxc4 Multiple Siemens products such as firmware have unspecified vulnerabilities.Information may be obtained. Desigo DXR2 controllers are programmable automation stations to support the standard control needs of terminal HVAC equipment and TRA (Total Room Automation) applications. The Desigo PXC3 series of automation stations can be used in buildings where functionality and flexibility are required. Use Desigo room automation when multiple specialties (HVAC, lighting, shading) are combined into one solution, and when a high degree of flexibility is required. The Desigo PXC4 building automation controller is designed for HVAC system control. It is a compact device with built-in IOs that can be expanded to your needs with additional TX-IO modules. The Desigo PXC5 is a freely programmable controller for BACnet system-level functions such as alarm routing, system-wide scheduling and trending, and device monitoring. Siemens Desigo PXC and DXR Devices have security flaws that could allow attackers to perform username enumeration attacks and identify valid usernames. Siemens Desigo PXC and DXR Devices

Trust: 2.25

sources: NVD: CVE-2022-24045 // JVNDB: JVNDB-2022-010188 // CNVD: CNVD-2022-37374 // VULMON: CVE-2022-24045

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-37374

AFFECTED PRODUCTS

vendor:siemensmodel:desigo pxc4scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo pxc3scope:ltversion:01.21.142.4-18

Trust: 1.0

vendor:siemensmodel:desigo pxc5scope:ltversion:02.20.142.10-10884

Trust: 1.0

vendor:siemensmodel:desigo dxr2scope:ltversion:01.21.142.5-22

Trust: 1.0

vendor:シーメンスmodel:desigo dxr2scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc4scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc5scope: - version: -

Trust: 0.8

vendor:シーメンスmodel:desigo pxc3scope: - version: -

Trust: 0.8

vendor:siemensmodel:desigo pxc5scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc4scope:ltversion:v02.20.142.10-10884

Trust: 0.6

vendor:siemensmodel:desigo pxc3scope:ltversion:v01.21.142.4-18

Trust: 0.6

vendor:siemensmodel:desigo dxr2scope:ltversion:v01.21.142.5-22

Trust: 0.6

sources: CNVD: CNVD-2022-37374 // JVNDB: JVNDB-2022-010188 // NVD: CVE-2022-24045

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-24045
value: MEDIUM

Trust: 1.0

NVD: CVE-2022-24045
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2022-37374
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202205-2983
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2022-24045
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2022-37374
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2022-24045
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

NVD: CVE-2022-24045
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2022-37374 // JVNDB: JVNDB-2022-010188 // CNNVD: CNNVD-202205-2983 // NVD: CVE-2022-24045

PROBLEMTYPE DATA

problemtype:CWE-311

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-614

Trust: 1.0

problemtype:Lack of encryption of critical data (CWE-311) [NVD evaluation ]

Trust: 0.8

problemtype: others (CWE-Other) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2022-010188 // NVD: CVE-2022-24045

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202205-2983

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202205-2983

PATCH

title:Patch for Unknown Vulnerability in Siemens Desigo PXC and DXR Devices (CNVD-2022-37374)url:https://www.cnvd.org.cn/patchInfo/show/332651

Trust: 0.6

title:Multiple Siemens Product security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=194580

Trust: 0.6

sources: CNVD: CNVD-2022-37374 // CNNVD: CNNVD-202205-2983

EXTERNAL IDS

db:NVDid:CVE-2022-24045

Trust: 3.9

db:SIEMENSid:SSA-626968

Trust: 3.0

db:ICS CERTid:ICSA-22-132-10

Trust: 1.5

db:JVNid:JVNVU92977068

Trust: 0.8

db:JVNDBid:JVNDB-2022-010188

Trust: 0.8

db:CNVDid:CNVD-2022-37374

Trust: 0.6

db:AUSCERTid:ESB-2022.2349

Trust: 0.6

db:CS-HELPid:SB2022051124

Trust: 0.6

db:CNNVDid:CNNVD-202205-2983

Trust: 0.6

db:VULMONid:CVE-2022-24045

Trust: 0.1

sources: CNVD: CNVD-2022-37374 // VULMON: CVE-2022-24045 // JVNDB: JVNDB-2022-010188 // CNNVD: CNNVD-202205-2983 // NVD: CVE-2022-24045

REFERENCES

url:https://cert-portal.siemens.com/productcert/pdf/ssa-626968.pdf

Trust: 2.4

url:https://jvn.jp/vu/jvnvu92977068/

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2022-24045

Trust: 0.8

url:https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-10

Trust: 0.8

url:https://cert-portal.siemens.com/productcert/html/ssa-626968.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.2349

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-22-132-10

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-24045/

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022051124

Trust: 0.6

url:https://www.cisa.gov/uscert/ics/advisories/icsa-22-132-10

Trust: 0.1

sources: CNVD: CNVD-2022-37374 // VULMON: CVE-2022-24045 // JVNDB: JVNDB-2022-010188 // CNNVD: CNNVD-202205-2983 // NVD: CVE-2022-24045

CREDITS

reported these vulnerabilities to CISA.,Andrea Palanca, of Nozomi Networks

Trust: 0.6

sources: CNNVD: CNNVD-202205-2983

SOURCES

db:CNVDid:CNVD-2022-37374
db:VULMONid:CVE-2022-24045
db:JVNDBid:JVNDB-2022-010188
db:CNNVDid:CNNVD-202205-2983
db:NVDid:CVE-2022-24045

LAST UPDATE DATE

2024-11-23T21:50:30.700000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-37374date:2022-05-16T00:00:00
db:JVNDBid:JVNDB-2022-010188date:2023-08-10T08:26:00
db:CNNVDid:CNNVD-202205-2983date:2022-06-02T00:00:00
db:NVDid:CVE-2022-24045date:2024-11-21T06:49:43.390

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-37374date:2022-05-16T00:00:00
db:JVNDBid:JVNDB-2022-010188date:2023-08-10T00:00:00
db:CNNVDid:CNNVD-202205-2983date:2022-05-11T00:00:00
db:NVDid:CVE-2022-24045date:2022-05-20T13:15:14.600