cnvd - cnvd-2019-40514

cnvd-2019-40514

Vulnerability from cnvd

Title

Siemens Desigo PX Web远程拒绝服务漏洞

Description

Desigo-PX自动化站和操作员单元控制和监控楼宇自动化系统。它们允许报警信号、基于时间的程序和趋势记录。 Siemens Desigo PX Web存在远程拒绝服务漏洞。攻击者可通过向web服务器端口（tcp/80）发送构建的HTTP消息，在该设备的web服务器上造成拒绝服务条件。

Severity

中

Patch Name

Siemens Desigo PX Web远程拒绝服务漏洞的补丁

Patch Description

Desigo-PX自动化站和操作员单元控制和监控楼宇自动化系统。它们允许报警信号、基于时间的程序和趋势记录。 Siemens Desigo PX Web存在远程拒绝服务漏洞。攻击者可通过向web服务器端口（tcp/80）发送构建的HTTP消息，在该设备的web服务器上造成拒绝服务条件。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下供应商提供的安全公告获得补丁信息： https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf

Impacted products

Name
['Siemens PXA40-W2 < V6.00.320', 'Siemens PXA40-W1 < V6.00.320', 'Siemens PXC200-E.D with De-sigo PX Web modules PXA40-W0 < V6.00.320', 'Siemens PXC100-E.D < V6.00.320', 'Siemens PXC50-E.D < V6.00.320', 'Siemens PXC00-E.D < V6.00.320', 'Siemens PXA30-W2 < V6.00.320', 'Siemens PXA30-W1 < V6.00.320', 'Siemens PXC128-U with Desigo PX Web mod-ules PXA30-W0 < V6.00.320', 'Siemens PXC64-U < V6.00.320', 'Siemens PXC00-U < V6.00.320', 'Siemens PXC36.1-E.D with activated webserver < V6.00.320', 'Siemens PXC36-E.D < V6.00.320', 'Siemens PXC22.1-E.D < V6.00.320']

Name

['Siemens PXA40-W2 < V6.00.320', 'Siemens PXA40-W1 < V6.00.320', 'Siemens PXC200-E.D with De-sigo PX Web modules PXA40-W0 < V6.00.320', 'Siemens PXC100-E.D < V6.00.320', 'Siemens PXC50-E.D < V6.00.320', 'Siemens PXC00-E.D < V6.00.320', 'Siemens PXA30-W2 < V6.00.320', 'Siemens PXA30-W1 < V6.00.320', 'Siemens PXC128-U with Desigo PX Web mod-ules PXA30-W0 < V6.00.320', 'Siemens PXC64-U < V6.00.320', 'Siemens PXC00-U < V6.00.320', 'Siemens PXC36.1-E.D with activated webserver < V6.00.320', 'Siemens PXC36-E.D < V6.00.320', 'Siemens PXC22.1-E.D < V6.00.320']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-13927"
    }
  },
  "description": "Desigo-PX\u81ea\u52a8\u5316\u7ad9\u548c\u64cd\u4f5c\u5458\u5355\u5143\u63a7\u5236\u548c\u76d1\u63a7\u697c\u5b87\u81ea\u52a8\u5316\u7cfb\u7edf\u3002\u5b83\u4eec\u5141\u8bb8\u62a5\u8b66\u4fe1\u53f7\u3001\u57fa\u4e8e\u65f6\u95f4\u7684\u7a0b\u5e8f\u548c\u8d8b\u52bf\u8bb0\u5f55\u3002\n\nSiemens Desigo PX Web\u5b58\u5728\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411web\u670d\u52a1\u5668\u7aef\u53e3\uff08tcp/80\uff09\u53d1\u9001\u6784\u5efa\u7684HTTP\u6d88\u606f\uff0c\u5728\u8be5\u8bbe\u5907\u7684web\u670d\u52a1\u5668\u4e0a\u9020\u6210\u62d2\u7edd\u670d\u52a1\u6761\u4ef6\u3002",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-40514",
  "openTime": "2019-11-14",
  "patchDescription": "Desigo-PX\u81ea\u52a8\u5316\u7ad9\u548c\u64cd\u4f5c\u5458\u5355\u5143\u63a7\u5236\u548c\u76d1\u63a7\u697c\u5b87\u81ea\u52a8\u5316\u7cfb\u7edf\u3002\u5b83\u4eec\u5141\u8bb8\u62a5\u8b66\u4fe1\u53f7\u3001\u57fa\u4e8e\u65f6\u95f4\u7684\u7a0b\u5e8f\u548c\u8d8b\u52bf\u8bb0\u5f55\u3002\r\n\r\nSiemens Desigo PX Web\u5b58\u5728\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411web\u670d\u52a1\u5668\u7aef\u53e3\uff08tcp/80\uff09\u53d1\u9001\u6784\u5efa\u7684HTTP\u6d88\u606f\uff0c\u5728\u8be5\u8bbe\u5907\u7684web\u670d\u52a1\u5668\u4e0a\u9020\u6210\u62d2\u7edd\u670d\u52a1\u6761\u4ef6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Siemens Desigo PX Web\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Siemens PXA40-W2 \u003c V6.00.320",
      "Siemens PXA40-W1 \u003c V6.00.320",
      "Siemens  PXC200-E.D with De-sigo PX Web modules PXA40-W0 \u003c V6.00.320",
      "Siemens  PXC100-E.D \u003c V6.00.320",
      "Siemens PXC50-E.D \u003c V6.00.320",
      "Siemens PXC00-E.D \u003c V6.00.320",
      "Siemens PXA30-W2 \u003c V6.00.320",
      "Siemens PXA30-W1 \u003c V6.00.320",
      "Siemens PXC128-U with Desigo PX Web mod-ules PXA30-W0 \u003c V6.00.320",
      "Siemens PXC64-U \u003c V6.00.320",
      "Siemens PXC00-U \u003c V6.00.320",
      "Siemens   PXC36.1-E.D  with  activated  webserver \u003c V6.00.320",
      "Siemens PXC36-E.D \u003c V6.00.320",
      "Siemens  PXC22.1-E.D \u003c V6.00.320"
    ]
  },
  "referenceLink": "https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf",
  "serverity": "\u4e2d",
  "submitTime": "2019-11-13",
  "title": "Siemens Desigo PX Web\u8fdc\u7a0b\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2019-13927 (GCVE-0-2019-13927)

Vulnerability from cvelistv5

Published

2019-12-12 13:19

Modified

2024-08-05 00:05

Severity ?

CWE

CWE-472 - External Control of Assumed-Immutable Web Parameter

Summary

A vulnerability has been identified in Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 (All firmware versions < V6.00.320), Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server (All firmware versions < V6.00.320). The device contains a vulnerability that could allow an attacker to cause a denial of service condition on the device's web server by sending a specially crafted HTTP message to the web server port (tcp/80). The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device's web service. While the device itself stays operational, the web server responds with HTTP status code 404 (Not found) to any further request. A reboot is required to recover the web interface. At the time of advisory publication no public exploitation of this security vulnerability was known.

References

URL

Tags

https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf

x_refsource_MISC

Impacted products

Vendor

Product

Version

Siemens AG

Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D with Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2

Version: All firmware versions < V6.00.320

	Siemens AG	Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U with Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2	Version: All firmware versions < V6.00.320
	Siemens AG	Desigo PX automation controllers PXC22.1-E.D, PXC36-E.D, PXC36.1-E.D with activated web server	Version: All firmware versions < V6.00.320

Show details on NVD website