CVE-2022-24042 in Desigo DXR2
Summary
by MITRE • 05/10/2022
A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). The web application returns an AuthToken that does not expire at the defined auto logoff delay timeout. An attacker could be able to capture this token and re-use old session credentials or session IDs for authorization.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/12/2022
This vulnerability affects multiple versions of Desigo series industrial control systems including DXR2, PXC3, PXC4, and PXC5 devices. The flaw resides in the authentication mechanism where the web application generates authentication tokens that remain valid beyond the configured auto logoff timeout period. This represents a critical session management weakness that directly violates established security principles for maintaining secure authentication states. The vulnerability allows for persistent unauthorized access as captured tokens can be reused long after the intended session expiration time has passed. According to CWE-613, this constitutes an insufficient session expiration vulnerability where the system fails to properly terminate sessions after predefined time intervals. The flaw enables attackers to maintain access to industrial control systems without proper authentication, creating potential risks for operational technology environments.
The technical implementation of this vulnerability stems from improper session lifecycle management within the web application layer of these industrial control systems. When users authenticate to the Desigo systems, the application generates an AuthToken that should respect the auto logoff delay timeout configuration. However, the token validation mechanism fails to properly check against the session expiration time, allowing tokens to remain active indefinitely. This creates a persistent authentication bypass opportunity where an attacker who captures a valid token can reuse it at any time without needing to re-authenticate. The vulnerability manifests as a failure in the session management subsystem to enforce time-based token expiration, which represents a fundamental flaw in the security architecture of these industrial control platforms. The issue is particularly concerning given that these systems typically operate in environments where unauthorized access could lead to operational disruptions or safety hazards.
The operational impact of this vulnerability extends beyond simple unauthorized access to include potential compromise of industrial control processes and operational technology infrastructure. Attackers could exploit this weakness to maintain persistent access to critical control systems, potentially leading to unauthorized configuration changes, data manipulation, or disruption of industrial processes. The extended validity of authentication tokens increases the window of opportunity for attackers to perform malicious activities without detection. This vulnerability aligns with ATT&CK technique T1566 for initial access through credential harvesting and T1078 for valid accounts usage. The long-term persistence capability of this flaw makes it particularly dangerous for industrial environments where systems may operate continuously for extended periods, increasing the probability of token capture and reuse. Organizations using these vulnerable systems face significant risk of unauthorized access that could compromise operational integrity and safety protocols.
Mitigation strategies for this vulnerability should focus on immediate patch deployment to the affected versions of Desigo systems. Organizations must ensure all affected devices are updated to versions that properly implement session expiration mechanisms. Network segmentation and access controls should be implemented to limit exposure of these systems to unauthorized networks. Regular monitoring of authentication logs and session activity can help detect potential misuse of captured tokens. Implementing additional authentication layers such as multi-factor authentication would provide defense in depth against token-based attacks. Security teams should conduct comprehensive assessments of their industrial control environments to identify other potential session management vulnerabilities. The vulnerability demonstrates the importance of proper session management in industrial control systems and highlights the need for robust authentication mechanisms in operational technology environments. Organizations should also consider implementing automated session cleanup processes and regular security audits to prevent similar issues in other systems.