Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2016-9154

Insufficient Entropy in PRNG

Published: Dec 23, 2016 | Modified: Oct 09, 2019
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2016-9154
CWEhttps://cwe.mitre.org/data/definitions/332.html

Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U, PXC64-U, PXC128-U (All firmware versions < V6.00.046) use a pseudo random number generator with insufficient entropy to generate certificates for HTTPS, potentially allowing remote attackers to reconstruct the corresponding private key.

Weakness

The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.

Affected Software

Name Vendor Start Version End Version
Desigo_web_module_pxa30-w0_firmware Siemens * 6.00.00 (including)
Desigo_web_module_pxa30-w1_firmware Siemens * 6.00.00 (including)
Desigo_web_module_pxa30-w2_firmware Siemens * 6.00.00 (including)
Desigo_web_module_pxa40-w0_firmware Siemens * 6.00.00 (including)
Desigo_web_module_pxa40-w1_firmware Siemens * 6.00.00 (including)
Desigo_web_module_pxa40-w2_firmware Siemens * 6.00.00 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use