Detections
Analytics
Siemens Mentor Nucleus Networking Module Improper Input Validation (CVE-2019-13939)
high Tenable OT Security Plugin ID 500407
Synopsis
The remote OT asset is affected by a vulnerability.Description
A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Series (BACnet) (All versions < V3.5.3), APOGEE PXC Series (P2) (All versions >= V2.8.2 and < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC100-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC12-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC22-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC22.1-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC36.1-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC50-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3x and < V6.00.327), Nucleus NET (All versions), Nucleus RTOS (All versions), Nucleus ReadyStart for ARM, MIPS, and PPC (All versions < V2017.02.2 with patch Nucleus 2017.02.02 Nucleus NET Patch), Nucleus SafetyCert (All versions), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Series (BACnet) (All versions < V3.5.3), VSTAR (All versions). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value. The vulnerability could affect availability and integrity of the device.Adjacent network access is required, but no authentication and no user interaction is needed to conduct an attack.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.Siemens recommends installing the following software updates to address this vulnerability.
Nucleus NET:
- Avoid using DHCP Client of Nucleus NET or upgrade Nucleus ReadyStart and apply the corresponding patch.
Nucleus RTOS:
- Avoid using DHCP Client of Nucleus NET, or upgrade Nucleus ReadyStart and apply the corresponding patch.
Nucleus ReadyStart for ARM, MIPS, and PPC:
- Upgrade to v2017.02.2 and install the patch “Nucleus 2017.02.02 Nucleus NET Patch.” Updated firmware versions can be obtained from Mentor supportcenter at (login required):
https://support.mentor.com/en/product/1009925838/downloads
Nucleus SafetyCert:
- Nucleus SafetyCert is not affected since it leverages the LWNET stack, which is not affected. The Nucleus SafetyCert bundle, however, does include a copy of Nucleus ReadyStart to allow easier prototyping, which is affected.
Nucleus Source Code:
- Avoid using DHCP Client of Nucleus NET.
VSTAR:
- Contact customer support to receive patch and update instructions.
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ Operational Guidelines for Industrial Security and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
https://www.siemens.com/industrialsecurity
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens security advisory SSA-434032 at the following location:
http://www.siemens.com/cert/advisories
See Also
https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06
https://www.cisa.gov/news-events/ics-advisories/icsa-19-318-01
Plugin Details
Severity: High
ID: 500407
Version: 1.8
Type: remote
Family: Tenable.ot
Published: 2/7/2022
Updated: 3/4/2024
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 4.8
Temporal Score: 3.5
Vector: CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P
CVSS Score Source: CVE-2019-13939
CVSS v3
Risk Factor: High
Base Score: 7.1
Temporal Score: 6.2
Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:siemens:apogee_modular_building_controller_firmware, cpe:/o:siemens:apogee_modular_equiment_controller_firmware, cpe:/o:siemens:apogee_pxc_firmware, cpe:/o:siemens:desigo_pxc_firmware, cpe:/o:siemens:desigo_pxm20_firmware
Required KB Items: Tenable.ot/Siemens
Exploit Ease: No known exploits are available
Patch Publication Date: 1/16/2020
Vulnerability Publication Date: 1/16/2020
Reference Information
CVE: CVE-2019-13939