Siemens BACnet Field Panels (Update A)
Plan Patch7.5ICS-CERT ICSA-17-285-05Oct 12, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple unauthenticated information disclosure vulnerabilities exist in APOGEE PXC Compact/Modular and TALON TC Compact/Modular field panels. Attackers can download sensitive information through the integrated webserver without credentials. Vulnerabilities affect BACnet and P2 Ethernet communication variants. Siemens has released firmware updates for BACnet versions (v3.5 or later) but no patch is available for P2 Ethernet variants.
What this means
What could happen
An attacker could download sensitive information (potentially configuration data, credentials, or process parameters) from the integrated webserver without authentication. This could expose your BACnet panel configurations and enable further attacks on building automation or HVAC control systems.
Who's at risk
Building automation technicians and facility managers at water utilities and municipal electric systems should focus on APOGEE PXC and TALON TC field panels used in HVAC, chilled water, or building automation systems. The P2 Ethernet variants have no patch and require immediate webserver disabling. BACnet versions have vendor patches available.
How it could be exploited
An attacker with network access to the affected panel's webserver port could directly request sensitive files without providing credentials. The vulnerability exists in the webserver's file access controls, allowing unauthenticated download of protected data.
Prerequisites
- Network access to the integrated webserver port on the APOGEE PXC or TALON TC device
- Webserver must be enabled (the default state)
remotely exploitableno authentication requiredlow complexityhigh EPSS score (10%)no patch available for P2 Ethernet variantsaffects building automation and process control
Exploitability
Moderate exploit probability (EPSS 10.0%)
Affected products (6)
4 with fix2 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)<V3.53.5
APOGEE PXC Modular (BACnet)<V3.53.5
TALON TC Compact (BACnet)<V3.53.5
TALON TC Modular (BACnet)<V3.53.5
APOGEE PXC Compact (P2 Ethernet)All versionsNo fix (EOL)
APOGEE PXC Modular (P2 Ethernet)All versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/2APOGEE PXC Compact (P2 Ethernet)
WORKAROUNDDisable the integrated webserver on APOGEE PXC Compact (P2 Ethernet) devices where not needed
WORKAROUNDDisable the integrated webserver on APOGEE PXC Modular (P2 Ethernet) devices where not needed
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet) to firmware version 3.5 or later
HOTFIXUpdate APOGEE PXC Modular (BACnet) to firmware version 3.5 or later
HOTFIXUpdate TALON TC Compact (BACnet) to firmware version 3.5 or later
HOTFIXUpdate TALON TC Modular (BACnet) to firmware version 3.5 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: APOGEE PXC Compact (P2 Ethernet), APOGEE PXC Modular (P2 Ethernet). Apply the following compensating controls:
HARDENINGImplement network firewall rules to restrict access to the webserver port on affected devices
HARDENINGIsolate BACnet field panel networks from your business network with firewall segmentation
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f11757ca-de29-4e6f-94d2-a3fa50d7a416