Siemens Desigo CC

Plan PatchCVSS 9.8ICS-CERT ICSA-20-224-06Aug 11, 2020

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Desigo CC and Desigo CC Compact versions 3.x and 4.x contain a code injection vulnerability in the advanced reporting extension module. An unauthenticated attacker on the network can exploit this to execute arbitrary code on the building management server. The vulnerability exists in versions 3.x and 4.x; no fixed versions are currently available from Siemens. Users must either avoid installing the reporting extension until a patched version is released, or apply available patches if distributed through Siemens' customer portal (details require Siemens login).

What this means

What could happen

An unauthenticated attacker on the network could execute arbitrary code on the Desigo CC building management system, potentially allowing them to alter HVAC, lighting, fire, or safety setpoints and disable building operations. This affects all connected building automation subsystems.

Who's at risk

Building automation operators and facility managers using Siemens Desigo CC or Desigo CC Compact versions 3.x and 4.x should prioritize this issue. The vulnerability affects building management systems that control HVAC, lighting, fire suppression, and other building systems in commercial buildings, hospitals, data centers, and industrial facilities.

How it could be exploited

An attacker with network access to the Desigo CC management server (typically port 80/443) can trigger code injection through the advanced reporting extension module without authentication. The attacker sends a specially crafted request that causes the server to execute arbitrary commands with the same privileges as the Desigo CC service.

Prerequisites

Network reachability to Desigo CC web interface (port 80 or 443)
Advanced reporting extension module installed on the Desigo CC system
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects safety systemsno patch available for affected versions

Exploitability

Some exploitation risk — EPSS score 2.7%

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Desigo CC: V4.xV4.xNo fix yet

Desigo CC: V3.xV3.xNo fix yet

Desigo CC Compact: V4.xV4.xNo fix yet

Desigo CC Compact: V3.xV3.xNo fix yet

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDIf advanced reporting extension is not yet installed: Do not install the reporting extension module from current Desigo CC/Compact deliveries until you receive an updated version with the patch included

HARDENINGRestrict network access to Desigo CC servers using firewall rules; only allow connections from authorized engineering workstations and administrative devices

HARDENINGIsolate Desigo CC systems from the business network and ensure they are not accessible from the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXFor Version 4.x systems: Apply the latest patch from Siemens through your customer portal with a scheduled maintenance window

HOTFIXFor Version 3.x systems: Apply the latest patch from Siemens through your customer portal with a scheduled maintenance window

Long-term hardening

0/1

HARDENINGIf remote access is required, use a VPN with current security patches and restrict access to specific authorized personnel

CVEs (1)

CVE-2020-10055

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/12ce33e1-7491-4d5d-8f82-ba24d775f788

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.