Siemens SIMOTICS, Desigo, APOGEE, and TALON

Plan Patch7.1ICS-CERT ICSA-20-105-06Apr 14, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMOTICS CONNECT 400, Desigo PowerPC-based controllers, APOGEE MEC/MBC/PXC, and TALON TC products contain a vulnerability in the DHCP client implementation (Mentor Nucleus Networking Module). The flaw allows improper input validation of DHCP responses, causing affected devices to become unresponsive or reboot. This impacts facility control systems that rely on these controllers for building automation, HVAC, and process management. Siemens has released firmware updates for most products; static IP configuration is available as an interim workaround. Products using P2 Ethernet protocol prior to version 2.8.2 have no patch available from the vendor.

What this means

What could happen

A flaw in the DHCP client used by these building automation and industrial control products could allow an attacker on the local network to cause the device to stop responding or reset, disrupting facility operations like HVAC control, power management, or process monitoring.

Who's at risk

Building automation operators using Siemens Desigo comfort control systems, facility managers relying on APOGEE and TALON controllers for HVAC and facility management, and manufacturers using SIMOTICS CONNECT 400 industrial motor controllers should assess their environment. This affects both distributed (PXC00/PXC12/PXC22/PXC50/PXC100/PXC128/PXC200 series) and modular/compact controllers in energy and building management sectors.

How it could be exploited

An attacker with network access to the local network segment containing the affected device could send a specially crafted DHCP response packet to trigger improper input handling in the DHCP client. This causes the device to become unresponsive or restart, interrupting normal operations.

Prerequisites

Network access to the local network segment (ARP/Layer 2 reachable, not necessarily routed)
DHCP client enabled on the device (note: disabled by default on most products except some P2 versions)
Device must be attempting DHCP address assignment or renewal

Remotely exploitable (from local network)No authentication requiredLow complexity attackAffects device availability and operationsNo patch available for APOGEE MEC/MBC/PXC (P2) versions prior to 2.8.2DHCP enabled by default on some product lines

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (21)

20 with fix1 EOL

ProductAffected VersionsFix Status

Desigo PXC22-E.D≥ V2.3, < V6.0.3276.0.327

Desigo PXC22.1-E.D≥ V2.3, < V6.0.3276.0.327

Desigo PXC36.1-E.D≥ V2.3, < V6.0.3276.0.327

Desigo PXC50-E.D≥ V2.3, < V6.0.3276.0.327

Desigo PXC64-U≥ V2.3x and <V6.00.3276.00.327

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDDisable DHCP client and configure static IP addresses on all affected devices

HARDENINGRestrict network access to affected devices to authorized management and control networks only

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMOTICS CONNECT 400

HOTFIXUpdate SIMOTICS CONNECT 400 to version 0.3.0.330 or later

TALON TC Compact (BACnet)

HOTFIXUpdate TALON TC Series (BACnet) to version 3.5.3 or later

HOTFIXUpdate APOGEE PXC Series (BACnet) to version 3.5.3 or later

APOGEE PXC Compact (P2 Ethernet)

HOTFIXUpdate APOGEE PXC Series (P2 Ethernet) to version 2.8.19 or later

All products

HOTFIXUpdate Desigo products to firmware version 6.0.327 or later

Mitigations - no patch available

0/1

APOGEE MEC/MBC/PXC (P2) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment building automation and control system networks from the business network with firewalls

CVEs (1)

CVE-2019-13939

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3cf7e660-1b51-4b72-84f8-c1da290f17cd