OTPulse

Siemens SIMOTICS, Desigo, APOGEE, and TALON

Plan PatchCVSS 7.1ICS-CERT ICSA-20-105-06Nov 12, 2019
SiemensEnergy
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMOTICS CONNECT 400, Desigo PowerPC-based controllers, APOGEE MEC/MBC/PXC, and TALON TC products contain a vulnerability in the DHCP client implementation (Mentor Nucleus Networking Module). The flaw allows improper input validation of DHCP responses, causing affected devices to become unresponsive or reboot. This impacts facility control systems that rely on these controllers for building automation, HVAC, and process management. Siemens has released firmware updates for most products; static IP configuration is available as an interim workaround. Products using P2 Ethernet protocol prior to version 2.8.2 have no patch available from the vendor.

What this means
What could happen
A flaw in the DHCP client used by these building automation and industrial control products could allow an attacker on the local network to cause the device to stop responding or reset, disrupting facility operations like HVAC control, power management, or process monitoring.
Who's at risk
Building automation operators using Siemens Desigo comfort control systems, facility managers relying on APOGEE and TALON controllers for HVAC and facility management, and manufacturers using SIMOTICS CONNECT 400 industrial motor controllers should assess their environment. This affects both distributed (PXC00/PXC12/PXC22/PXC50/PXC100/PXC128/PXC200 series) and modular/compact controllers in energy and building management sectors.
How it could be exploited
An attacker with network access to the local network segment containing the affected device could send a specially crafted DHCP response packet to trigger improper input handling in the DHCP client. This causes the device to become unresponsive or restart, interrupting normal operations.
Prerequisites
  • Network access to the local network segment (ARP/Layer 2 reachable, not necessarily routed)
  • DHCP client enabled on the device (note: disabled by default on most products except some P2 versions)
  • Device must be attempting DHCP address assignment or renewal
Remotely exploitable (from local network)No authentication requiredLow complexity attackAffects device availability and operationsNo patch available for APOGEE MEC/MBC/PXC (P2) versions prior to 2.8.2DHCP enabled by default on some product lines
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (26)
22 with fix4 EOL
ProductAffected VersionsFix Status
Capital Embedded AR Classic R20-11< V23032303
Nucleus ReadyStart V3< V2017.02.32017.02.3
Capital Embedded AR Classic 431-422All versionsNo fix (EOL)
Nucleus NETAll versionsNo fix (EOL)
Nucleus Source CodeAll versionsNo fix (EOL)
Remediation & Mitigation
0/8
Do now
0/2
WORKAROUNDDisable DHCP client and configure static IP addresses on all affected devices
HARDENINGRestrict network access to affected devices to authorized management and control networks only
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SIMOTICS CONNECT 400
HOTFIXUpdate SIMOTICS CONNECT 400 to version 0.3.0.330 or later
TALON TC Compact (BACnet)
HOTFIXUpdate TALON TC Series (BACnet) to version 3.5.3 or later
HOTFIXUpdate APOGEE PXC Series (BACnet) to version 3.5.3 or later
APOGEE PXC Compact (P2 Ethernet)
HOTFIXUpdate APOGEE PXC Series (P2 Ethernet) to version 2.8.19 or later
All products
HOTFIXUpdate Desigo products to firmware version 6.0.327 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: Capital Embedded AR Classic 431-422, Nucleus NET, Nucleus Source Code, APOGEE MEC/MBC/PXC (P2). Apply the following compensating controls:
HARDENINGSegment building automation and control system networks from the business network with firewalls
View full CISA ICS-CERT advisory
API: /api/v1/advisories/3cf7e660-1b51-4b72-84f8-c1da290f17cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.