Siemens Climatix POL909

Monitor6.5ICS-CERT ICSA-22-069-07Mar 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Siemens Climatix POL909 (AWM and AWB modules) allow an unauthenticated attacker to perform cross-site scripting (XSS) attacks to hijack user sessions and redirect to malicious webpages, or allow an authenticated attacker to access sensitive files through improper access controls. The vulnerabilities affect the web management interface of the building automation controller. Siemens has released firmware updates to address both issues.

What this means

What could happen

An unauthenticated attacker could hijack user sessions and redirect them to a malicious webpage to steal credentials or deploy malware. An authenticated attacker could access sensitive files on the building automation controller.

Who's at risk

Building automation technicians and facilities managers using Siemens Climatix POL909 controllers (AWB or AWM modules) in office buildings, hospitals, schools, and data centers should update immediately. Any facility relying on the POL909 for HVAC or building system control is affected.

How it could be exploited

An attacker on the network sends a crafted request to the Climatix POL909 web interface. The unauthenticated XSS attack (CWE-79) injects malicious JavaScript that executes in users' browsers when they visit the controller's management page, redirecting them to a fake login page or malicious site. Alternatively, an attacker with valid credentials exploits access control flaws (CWE-284) to read restricted files from the device.

Prerequisites

Network access to the Climatix POL909 web interface (TCP port 80 or 443)
For unauthenticated hijacking: no credentials required
For sensitive file access: valid user credentials for the POL909 management interface

remotely exploitablelow complexityno authentication required for hijacking attackweb-based interface vulnerable

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Climatix POL909 (AWB module)<V11.4411.44

Climatix POL909 (AWM module)<V11.3611.36

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the Climatix POL909 management interface using firewall rules; allow only authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Climatix POL909 (AWB module)

HOTFIXUpdate Climatix POL909 (AWB module) to firmware version 11.44 or later

Climatix POL909 (AWM module)

HOTFIXUpdate Climatix POL909 (AWM module) to firmware version 11.36 or later

Long-term hardening

0/2

HARDENINGIsolate the Climatix POL909 building automation network from the business network using a DMZ or air gap

HARDENINGIf remote access to the POL909 is required, use a VPN with strong authentication and encryption

CVEs (3)

CVE-2021-41541 CVE-2021-41542 CVE-2021-41543

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e9defd3-4a17-443b-ae7c-4cdc761acb62