OTPulse

Siemens APOGEE and TALON

Plan PatchCVSS 9.8ICS-CERT ICSA-21-257-07Sep 14, 2021
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability exists in the integrated web server of APOGEE MBC, MEC, PXC (Compact and Modular) and TALON TC (Compact and Modular) devices when configured for P2 Ethernet or BACnet protocols. The vulnerability allows remote code execution with root privileges without authentication. Siemens has released firmware version 3.5.3 for BACnet variants of PXC and TALON TC devices. However, no fixes are available for APOGEE MBC, MEC, or the P2 Ethernet variants of PXC and TALON TC. Siemens recommends disabling the web server, restricting access to ports 80 and 443 to trusted addresses, and implementing network segmentation as compensating controls.

What this means
What could happen
An attacker with network access to the web interface could execute arbitrary commands with root privileges on APOGEE and TALON automation controllers, potentially disrupting HVAC, building automation, or energy management systems that depend on these devices for setpoint control and operational oversight.
Who's at risk
Water authorities and utilities operating Siemens APOGEE or TALON building automation and energy management systems. This includes facilities using APOGEE MBC/MEC controllers with P2 Ethernet connectivity, APOGEE PXC Compact/Modular controllers (BACnet or P2 Ethernet), and TALON TC Compact/Modular controllers for HVAC control, energy monitoring, or facility management. Impacts both small municipal systems and large enterprise campuses.
How it could be exploited
An attacker sends a specially crafted request to the integrated web server (port 80 or 443) of a vulnerable device. The buffer overflow in the web server allows the attacker to inject and execute arbitrary code with root-level privileges on the device. No authentication is required.
Prerequisites
  • Network reachability to the device on port 80/TCP or 443/TCP
  • Device running a vulnerable firmware version
  • Web server enabled (default state)
Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)No patch available for P2 Ethernet variantsAffects building/energy management systems
Exploitability
Some exploitation risk — EPSS score 2.9%
Affected products (8)
4 with fix4 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)<V3.5.33.5.3
APOGEE MBC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE MEC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE PXC Compact (P2 Ethernet)≥ V2.8No fix (EOL)
APOGEE PXC Modular (BACnet)<V3.5.33.5.3
TALON TC Compact (BACnet)<V3.5.33.5.3
TALON TC Modular (BACnet)<V3.5.33.5.3
APOGEE PXC Modular (P2 Ethernet)≥ V2.8No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable the integrated web server on affected devices where firmware updates are not available or not yet deployed
HARDENINGRestrict network access to ports 80/TCP and 443/TCP to trusted IP addresses only; implement firewall rules to block untrusted connections
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet), APOGEE PXC Modular (BACnet), TALON TC Compact (BACnet), and TALON TC Modular (BACnet) devices to firmware version 3.5.3 or later
All products
WORKAROUNDContact Siemens support for additional guidance on products where updates are not available
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE PXC Compact (P2 Ethernet), APOGEE PXC Modular (P2 Ethernet). Apply the following compensating controls:
HARDENINGIsolate affected devices on a protected network segment separated from the business network and internet-facing systems
View full CISA ICS-CERT advisory
API: /api/v1/advisories/af00b051-e7a0-4843-b900-531854ee7460

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.