Detections
Analytics

Siemens APOGEE and TALON Buffer Copy Without Checking Size of Input (CVE-2021-27391)

critical Tenable OT Security Plugin ID 500597

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3).
The web server of affected devices lacks proper bounds checking when parsing the Host parameter in HTTP requests, which could lead to a buffer overflow. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the device with root privileges.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends updating the following products to v3.5.3 or later (login required):

- APOGEE PXC Compact (BACnet)
- APOGEE PXC Modular (BACnet)
- TALON TC Compact (BACnet)
- TALON TC Modular (BACnet)

For products not listed above Siemens has recommended the following workarounds and mitigations:

- Contact a Siemens office for support.
- Restrict access to the device, especially to the web interface. 80/TCP and 443/TCP should only be connected to trusted IP addresses.
- Disable the integrated web server.

As a general security measure, Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment.

For more information see Siemens Security Advisory SSA-944498

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-07

Plugin Details

Severity: Critical

ID: 500597

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 4/11/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-27391

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware, cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware, cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware, cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware, cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware, cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 9/14/2021

Vulnerability Publication Date: 9/14/2021

Reference Information

CVE: CVE-2021-27391

CWE: 120