Nozomi Network Labs

Vulnerability Advisories

Siemens PXC4.E16 Session Cookie Attribute Issues – CVE-2022-24045

The application, after a successful login, sets the session cookie on the browser via client-side JavaScript code, without applying any security attributes (such as “Secure”, “HttpOnly”, or “SameSite”). Any attempts to browse the application via unencrypted HTTP protocol would lead to the transmission of all his/her session cookies in plaintext through the network. An attacker could then be able to sniff the network and capture sensitive information.

Siemens PXC4.E16 Lack of anti-Password Spraying and Credential Stuffing Mechanism – CVE-2022-24044

The login functionality of the application does not employ any countermeasures against Password Spraying attacks or Credential Stuffing attacks. An attacker could obtain a list of valid usernames on the device by exploiting the issue and then perform a precise Password Spraying or Credential Stuffing attack in order to obtain access to at least one account.

Siemens PXC4.E16 Username Enumeration through Response Timing – CVE-2022-24043

The login functionality of the application fails to normalize the response times of login attempts performed with wrong usernames with the ones executed with correct usernames. A remote unauthenticated attacker could exploit this side-channel information to perform a username enumeration attack and identify valid usernames.

Siemens PXC4.E16 Insufficient Session Expiration – CVE-2022-24042

The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.

Siemens PXC4.E16 Weak PBKDF2 Default Cost Factor – CVE-2022-24041

The web application stores the PBKDF2 derived key of users passwords with a low iteration count. An attacker with user profile access privilege can retrieve the stored password hashes of other accounts and then successfully perform an offline cracking attack and recover the plaintext passwords of other users.

Siemens PXC4.E16 DoS through Insufficiently-Constrained PBKDF2 Cost Factor – CVE-2022-24040

The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account.

Siemens PXC4.E16 XLS Injection – CVE-2022-24039

The “addCell” JavaScript function fails to properly sanitize user-controllable input before including it into the generated XML body of the XLS report document, such that it is possible to inject arbitrary content (e.g., XML tags) into the generated file. An attacker with restricted privileges, by poisoning any of the content used to generate XLS reports, could be able to leverage the application to deliver malicious files against higher-privileged users and obtain Remote Code Execution (RCE) against the administrator’s workstation.

uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID – CVE-2022-30295

The uClibc and uClibc-ng libraries are vulnerable to DNS cache poisoning due to the use of predictable DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.

VU#473698 | Blog

Valmet DNA Remote Code Execution – CVE-2021-26726

A remote code execution vulnerability affecting a Valmet DNA service listening on TCP port 1517 allows an attacker to execute commands with SYSTEM privileges.

Threat Intelligence

Curated and maintained by Nozomi Networks Labs, the Threat Intelligence™ service provides threat and vulnerability updates to Guardian, making it easy for IT/OT professionals to stay on top of current OT and IoT risks.

Threat actors love finding new ways to attack critical infrastructure. We love finding new ways to detect their malware before damage occurs.

Andrea Carcano & MorenoCarullo
Co-founders, Nozomi Networks