Vulnerabilities > CVE-2016-9154 - Insufficient Entropy in PRNG vulnerability in Siemens products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

siemens

CWE-332

NVD

Published: 2016-12-23

Updated: 2019-10-09

Summary

Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.

Vulnerable Configurations

Part	Description	Count
Application	Siemens Siemens Desigo WEB Module Pxa30 W0 Firmware * Siemens Desigo WEB Module Pxa30 W1 Firmware * Siemens Desigo WEB Module Pxa30 W2 Firmware * Siemens Desigo WEB Module Pxa40 W0 Firmware * Siemens Desigo WEB Module Pxa40 W1 Firmware * Siemens Desigo WEB Module Pxa40 W2 Firmware *	6
Hardware	Siemens Siemens Desigo WEB Module Pxa30 W0 - Siemens Desigo WEB Module Pxa30 W1 - Siemens Desigo WEB Module Pxa30 W2 - Siemens Desigo WEB Module Pxa40 W0 - Siemens Desigo WEB Module Pxa40 W1 - Siemens Desigo WEB Module Pxa40 W2 -	6

Common Weakness Enumeration (CWE)

CWE-332 - Insufficient Entropy in PRNG

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References