Disruptions likely from Siemens building automation controller flaw abuse

SecurityWeek reports that malicious actors could exploit a medium-severity vulnerability in Siemens Desigo PXC4.E16 programmable building automation controllers that could make the device unavailable for days. Nozomi Networks researchers discovered that the flaw, tracked as CVE-2022-24040, could be abused to "make the device unavailable for days just by attempting a login," with further exploitation to prolong downtimes also possible. "It is also possible that threat actors can attack BAS while simultaneously launching a catastrophic attack on other industrial control systems (ICS) within a facility. If the fire alarm system or other systems are DDoSed, it could intensify a cyber-physical attack," said Nozomi researchers. Siemens has already issued fixes for the security bug, which involves the device's PBKDF2 key derivation function for user password security. "The web application fails to enforce an upper bound to the cost factor of the PBKDF2 derived key during the creation or update of an account. An attacker with the user profile access privilege could cause a denial of service (DoS) condition through CPU consumption by setting a PBKDF2 derived key with a remarkably high cost effort and then attempting a login to the so-modified account," said Siemens.