OTPulse

Siemens APOGEE, TALON and Desigo PXC/PXM Products

Plan PatchCVSS 7.5ICS-CERT ICSA-22-286-12Oct 11, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial of service vulnerability exists in the Nucleus RTOS used by Siemens APOGEE, TALON, and Desigo PXC/PXM building automation controllers. An attacker can send specially crafted BACnet or P2 Ethernet protocol packets to cause the controller to become unresponsive and crash, requiring manual restart. The FTP service is disabled by default on these products. Siemens has released firmware updates for APOGEE PXC, TALON TC, and Desigo PXC/PXM product lines, but APOGEE MBC and MEC controllers have no planned fix. Network segmentation and access controls are recommended as compensating controls.

What this means
What could happen
An attacker can send specially crafted network traffic to these building automation controllers, causing them to stop responding and become unavailable. This could disrupt HVAC, lighting, or other critical building systems until the device is manually restarted.
Who's at risk
Building automation and facility management teams responsible for HVAC, lighting, and environmental controls in commercial buildings and facilities. This affects anyone running Siemens APOGEE, TALON, or Desigo PXC/PXM controllers for building climate and system management.
How it could be exploited
An attacker on the network (or with network access to affected products) sends malformed BACnet or P2 Ethernet protocol packets to trigger a denial of service condition in the Nucleus RTOS kernel. The attack requires no authentication and can be launched remotely across the network.
Prerequisites
  • Network reachability to the affected device on BACnet or P2 Ethernet ports
  • No authentication or credentials required
Remotely exploitableNo authentication requiredLow attack complexityNo patch available for APOGEE MBC/MEC productsAffects non-safety building automation systems
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (28)
23 with fix5 EOL
ProductAffected VersionsFix Status
Nucleus NET for Nucleus PLUS V1< V5.2aV5.2a (V1.15) with patch v2022.11
Nucleus NET for Nucleus PLUS V2< V5.4V5.4 (V2.1f) with patch v2022.11
Nucleus ReadyStart V3 V2012< V2012.08.1V2012.08.1 with patch v2022.11
Nucleus ReadyStart V3 V2017< V2017.02.4V2017.02.4 with patch 2017.02.4_patch_CVE-2022-38371
Nucleus Source CodeVersions including affected FTP serverNo fix (EOL)
Remediation & Mitigation
0/10
Do now
0/1
WORKAROUNDFor APOGEE MBC and MEC products with no fix available, disable the FTP service if it has been enabled
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet) to firmware version 3.5.7 or later
HOTFIXUpdate APOGEE PXC Modular (BACnet) to firmware version 3.5.7 or later
HOTFIXUpdate TALON TC Compact (BACnet) to firmware version 3.5.7 or later
HOTFIXUpdate TALON TC Modular (BACnet) to firmware version 3.5.7 or later
APOGEE PXC Compact (P2 Ethernet)
HOTFIXUpdate APOGEE PXC Compact (P2 Ethernet) to firmware version 2.8.21 or later
HOTFIXUpdate APOGEE PXC Modular (P2 Ethernet) to firmware version 2.8.21 or later
All products
HOTFIXUpdate all Desigo PXC and PXM products to firmware version 6.30.37 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: Nucleus Source Code, APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE MBC (PPC) (BACnet). Apply the following compensating controls:
HARDENINGImplement network access controls to restrict traffic to affected building automation controllers from untrusted networks
HARDENINGSegment building automation systems from general corporate networks using firewalls or VLANs
View full CISA ICS-CERT advisory
API: /api/v1/advisories/7387b147-2186-4fcf-b9cc-e55886fd200b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.