In February 2022, a critical vulnerability was discovered affecting certain Siemens Desigo building automation controllers—specifically, the DXR2, PXC3, PXC4, and PXC5 product lines. These are devices responsible for managing and controlling environmental and security systems in “smart buildings.” The flaw, cataloged as CVE-2022-24040, revolves around improper handling of the password hashing mechanism, PBKDF2.
Let’s break this down step by step: what went wrong, what it means, and how an attacker can cause a serious denial of service (DoS), even without full administrative access.
What is PBKDF2?
PBKDF2 (Password-Based Key Derivation Function 2) is a cryptographic algorithm used to hash passwords. It takes the password, some random data (called a salt), and a “cost factor,” then does a lot of complex math to turn your password into a long string of data. The higher the cost factor, the more CPU work it takes to hash (and check) the password.
Normally:
Applications set an upper limit on this cost factor so it’s hard for hackers to brute-force passwords, but not so high that it freezes the system whenever a user logs in.
The Siemens Desigo Mistake
In affected Siemens Desigo products (all DXR2, PXC3, PXC4, PXC5 versions *below* specific firmware—see below for details), the web interface allowed users with “user profile access” privileges to set the PBKDF2 cost factor as high as they like. There was no built-in upper bound.
Attacker (or victim) tries to log in to the account.
The web server now needs to perform millions or billions of cryptographic hash operations to check the password. This completely hogs the CPU and makes the device unresponsive.
#### Even if there is only a single core or limited resources, this can lock up the entire automation controller — reboot required.
A (Simplified) Code Example
Below is *not* Siemens source code, but a simplified Python example to show how lacking an upper limit can break things:
import hashlib
def hash_password(password, salt, iterations):
# PBKDF2 hashing
return hashlib.pbkdf2_hmac('sha256', password.encode(), salt, iterations)
# What should happen (safe):
MIN_ITER = 100
MAX_ITER = 100000 # Upper bound
user_input_iterations = int(input("Enter PBKDF2 cost: "))
if user_input_iterations < MIN_ITER or user_input_iterations > MAX_ITER:
raise ValueError("Invalid cost factor!")
else:
hash_password("password123", b"randomsalt", user_input_iterations)
# What Siemens did (unsafe):
user_input_iterations = int(input("Enter PBKDF2 cost: "))
hash_password("password123", b"randomsalt", user_input_iterations)
In the “unsafe” approach, a user can supply any number, even a billion, causing massive CPU load.
Exploit Example: Quick Steps
> Warning: Do NOT try this on production systems!
Log in with a user account that has “user profile” editing rights.
2. Edit your password, but in the request payload, set the PBKDF2 cost (may be called “iterations” or “rounds”) to a huge number.
Now attempt to log in again (with your new password).
5. Watch the CPU spike. This can slow or freeze the whole controller—no more automation, no more building controls.
References and Further Information
- Siemens Advisory SSA-872232
- NVD CVE-2022-24040 Details
- PBKDF2 Wikipedia
Mitigation
Siemens fixed this issue in firmware updates after early 2022. Upgrade your Desigo DXR2, PXC3, PXC4, and PXC5 devices to the versions mentioned above or newer.
*Do not expose building controllers directly to the internet. Restrict user rights, monitor for unusual account activity, and always set password requirements according to best practices.*
Conclusion
CVE-2022-24040 highlights how a small oversight in password handling can let attackers cause huge disruption, even if they’re not full administrators. For anyone running smart buildings or critical infrastructure, patching is essential—not just for this bug, but to stay ahead of the next one.
Have questions about securing building automation gear? Want more detailed exploit code? Drop a line in the comments.
Timeline
Published on: 05/10/2022 11:15:00 UTC
Last modified on: 05/20/2022 14:15:00 UTC