CVE-2016-9154
Last modified
CVE-2016-9154 is a vulnerability of currently unknown severity. Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.. EPSS estimates a 1.50% chance of exploitation in the next 30 days.
Description
Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Siemens | Desigo Web Module Pxa30-W0 Firmware | <= 6.00.00 |
| Siemens | Desigo Web Module Pxa30-W1 Firmware | <= 6.00.00 |
| Siemens | Desigo Web Module Pxa30-W2 Firmware | <= 6.00.00 |
| Siemens | Desigo Web Module Pxa40-W0 Firmware | <= 6.00.00 |
| Siemens | Desigo Web Module Pxa40-W1 Firmware | <= 6.00.00 |
| Siemens | Desigo Web Module Pxa40-W2 Firmware | <= 6.00.00 |
References
- http://www.securityfocus.com/bid/94962Third Party Advisory, VDB Entry
- http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdfMitigation, Vendor Advisory
- https://ics-cert.us-cert.gov/advisories/ICSA-16-355-01Third Party Advisory, US Government Resource
- http://www.securityfocus.com/bid/94962Third Party Advisory, VDB Entry
- http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdfMitigation, Vendor Advisory
- https://ics-cert.us-cert.gov/advisories/ICSA-16-355-01Third Party Advisory, US Government Resource
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-9154?
How severe is CVE-2016-9154?
How do I fix CVE-2016-9154?
Are you affected by CVE-2016-9154?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST