CVE-2022-24040: Denial of Service Vulnerability in Desigo DXR2, PXC3, PXC4, and PXC5 Web Applications

The vulnerability, designated as CVE-2022-24040, occurs when the web applications fail to enforce an upper bound on the cost factor of the PBKDF2 derived key during the creation or update of user accounts. This vulnerability presents an opportunity for attackers with user profile access privileges to cause a denial of service (DoS) condition via CPU consumption by setting a cost factor with a remarkably high value and then attempting to log in to the modified account.

Consider the following code snippet that demonstrates the issue in the affected web applications

import hashlib
import os

# Example PBKDF2 derived key with a high cost factor
password = "password"
salt = os.urandom(16)
iterations = 100000
key_length = 64
derived_key = hashlib.pbkdf2_hmac("sha256", password.encode("utf-8"), salt, iterations, key_length)

In this example, the iterations variable represents the cost factor of the PBKDF2 derived key, which in this case is set to 100000. When attackers create or update user accounts with cost factors in the upper range or greater, they can subsequently trigger a denial of service condition when attempting to log in to these accounts.

For more information on this vulnerability, refer to the following Siemens resources

- Siemens Security Advisory: SSA-730923
- CVE Record: CVE-2022-24040

Mitigation

Users of the affected Siemens web applications are advised to update their software to the latest version as soon as possible:

Desigo PXC5: Update to version V02.20.142.10-10884 or higher

Additionally, users are encouraged to restrict and monitor account access, particularly for user accounts with elevated privileges, to minimize the risk of unauthorized account manipulation or exploitation.

Conclusion

The CVE-2022-24040 vulnerability found in Siemens Desigo DXR2, PXC3, PXC4, and PXC5 web applications presents a significant risk to system integrity by allowing attackers with user account access to cause a denial of service condition. To protect their systems, users should update to the latest software version and implement strict access control and monitoring for user accounts with elevated privileges.

Timeline

Published on: 05/10/2022 11:15:00 UTC
Last modified on: 05/20/2022 14:15:00 UTC