Siemens Desigo PX Web modules

Yesterday the DHS ICS-CERT published a control system security advisory for an insufficient entropy vulnerability in the Siemens Desigo PX Web modules. The vulnerability was reported by Marcella Hastings, Joshua Fried, and Nadia Heninger from the University of Pennsylvania. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that while the vulnerability is remotely exploitable, that an exploit would be difficult to craft. A successful exploit could allow an attacker to recover private keys used for HTTPS in the integrated web server.

Siemens reported this vulnerability in a tweet last Friday. The Siemens security advisory notes that the Desigo PX Web modules are used in building automation systems

NOTE: Over the last year there has been an increasing number of exploit reports from university programs. It would seem that there is an increase in the number of academic programs looking at control system security issues. This is certainly a plus for the community; both in the terms of vulnerability reports, but also in the number of people explicitly being trained in control system security issues.