Vulnerability Details CVE-2016-9154
Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 74.2%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.securityfocus.com/bid/94962
- http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdf
- https://ics-cert.us-cert.gov/advisories/ICSA-16-355-01
- http://www.securityfocus.com/bid/94962
- http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-856492.pdf
- https://ics-cert.us-cert.gov/advisories/ICSA-16-355-01
Products affected by CVE-2016-9154
-
cpe:2.3:a:siemens:desigo_web_module_pxa30-w0_firmware:*
-
cpe:2.3:a:siemens:desigo_web_module_pxa30-w1_firmware:*
-
cpe:2.3:a:siemens:desigo_web_module_pxa30-w2_firmware:*
-
cpe:2.3:a:siemens:desigo_web_module_pxa40-w0_firmware:*
-
cpe:2.3:a:siemens:desigo_web_module_pxa40-w1_firmware:*
-
cpe:2.3:a:siemens:desigo_web_module_pxa40-w2_firmware:*
-
cpe:2.3:h:siemens:desigo_web_module_pxa30-w0:-
-
cpe:2.3:h:siemens:desigo_web_module_pxa30-w1:-
-
cpe:2.3:h:siemens:desigo_web_module_pxa30-w2:-
-
cpe:2.3:h:siemens:desigo_web_module_pxa40-w0:-
-
cpe:2.3:h:siemens:desigo_web_module_pxa40-w1:-
-
cpe:2.3:h:siemens:desigo_web_module_pxa40-w2:-