Full Report
Several Desigo PXC/PXM devices contain a vulnerability that could allow unauthenticated remote attackers to upload malicious firmware without prior authentication. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Unauthenticated Firmware Upload in Siemens Desigo PX Controllers
## CVE Details
- **CVE ID:** CVE-2018-4834
- **CVSS Score:** 9.8 (Critical)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P
- **CWE:** CWE-306: Missing Authentication for Critical Function
## Affected Systems
- **Products:** Siemens Desigo PX Controllers (PXC and PXM series)
- Desigo PXC00-E.D, PXC001-E.D
- Desigo PXC12-E.D, PXC22-E.D, PXC22.1-E.D
- Desigo PXC36.1-E.D, PXC50-E.D, PXC64-U, PXC128-U
- **Versions:**
- All versions prior to V4.10.111
- All versions prior to V5.0.171
- All versions prior to V5.10.69
- All versions prior to V6.0.204
- **Configurations:** For PXC00/64/128-U models, the vulnerability exists specifically when the **web module** is in use.
## Vulnerability Description
The affected Desigo PX devices fail to require authentication for the firmware update function. A remote attacker with network access to the device can exploit this flaw by sending a specially crafted request to upload a new, potentially malicious firmware image. Because the device does not verify the identity of the user initiating the upload, the attacker can gain full control over the device's operating software.
## Exploitation
- **Status:** PoC available (Note: The CVSS "E:P" indicates Proof-of-Concept exploit code exists).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Total compromise of device data)
- **Integrity:** High (Ability to modify device logic and firmware)
- **Availability:** High (Ability to brick the device or disrupt building automation processes)
## Remediation
### Patches
Siemens recommends updating affected products to the following versions (or later):
- **V4.x series:** Update to V4.10.111
- **V5.0 series:** Update to V5.0.171
- **V5.1 series:** Update to V5.10.69
- **V6.x series:** Update to V6.0.204
*Firmware can be obtained via Siemens customer support or local partners.*
### Workarounds
The advisory does not list specific technical workarounds beyond the patches; however, standard ICS security practices apply:
- Restrict network access to the affected devices to trusted users/segments only.
- Ensure devices are not directly accessible from the internet.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, unauthorized changes to device configuration, or presence of unknown firmware versions.
- **Detection methods and tools:** Monitor network traffic for unauthorized firmware upload attempts (typically large POST requests to maintenance/update endpoints). Review device logs for administrative actions if supported.
## References
- **Vendor Advisory:** SSA-824231
- **Advisory Link:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-824231[.]pdf
- **CWE-306 Details:** hxxps://cwe[.]mitre[.]org/data/definitions/306[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories