Siemens Nucleus RTOS-based APOGEE and TALON Products Improper Null Termination (CVE-2021-31887)

high Tenable OT Security Plugin ID 500561

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the PWD/XPWD command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends the following specific workarounds and mitigations users can apply to reduce the risk:

- Desigo products: update to v6.30.016 or later
- APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet): update to v2.8.19 or later. Contact a Siemens office for support.
- TALON TC Compact (BACnet), TALON TC Modular (BACnet), APOGEE PXC Compact (BACnet), and APOGEE PXC Modular (BACnet):
update to v3.5.4 or later. Contact a Siemens office for support.

- CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address configuration instead (Note the DHCP client is disabled by default on APOGEE/TALON and Desigo products).
- CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note the FTP service is disabled by default on Desigo products).

As a general security measure Siemens strongly recommends protecting network access to affected products with appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT environment.

For more information see Siemens Security Advisory SSA-114589

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-03

https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07

Plugin Details

Severity: High

ID: 500561

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 3/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-31887

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:apogee_modular_building_controller_firmware, cpe:/o:siemens:apogee_modular_equiment_controller_firmware, cpe:/o:siemens:apogee_pxc_compact_firmware:::~~bacnet~~~, cpe:/o:siemens:apogee_pxc_compact_firmware:::~~p2_ethernet~~~, cpe:/o:siemens:apogee_pxc_modular_firmware:::~~bacnet~~~, cpe:/o:siemens:apogee_pxc_modular_firmware:::~~p2_ethernet~~~, cpe:/o:siemens:desigo_pxc00-e.d_firmware, cpe:/o:siemens:desigo_pxc00-u_firmware, cpe:/o:siemens:desigo_pxc001-e.d_firmware, cpe:/o:siemens:desigo_pxc100-e.d_firmware, cpe:/o:siemens:desigo_pxc12-e.d_firmware, cpe:/o:siemens:desigo_pxc128-u_firmware, cpe:/o:siemens:desigo_pxc200-e.d_firmware, cpe:/o:siemens:desigo_pxc22-e.d_firmware, cpe:/o:siemens:desigo_pxc22.1-e.d_firmware, cpe:/o:siemens:desigo_pxc36.1-e.d_firmware, cpe:/o:siemens:desigo_pxc50-e.d_firmware, cpe:/o:siemens:desigo_pxc64-u_firmware, cpe:/o:siemens:desigo_pxm20-e_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 11/9/2021

Vulnerability Publication Date: 11/9/2021

Reference Information

CVE: CVE-2021-31887

CWE: 170