Siemens APOGEE, TALON and Desigo PXC/PXM Products

Plan Patch7.5ICS-CERT ICSA-22-286-12Oct 11, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability exists in the Nucleus RTOS used by Siemens APOGEE, TALON, and Desigo PXC/PXM building automation controllers. An attacker can send specially crafted BACnet or P2 Ethernet protocol packets to cause the controller to become unresponsive and crash, requiring manual restart. The FTP service is disabled by default on these products. Siemens has released firmware updates for APOGEE PXC, TALON TC, and Desigo PXC/PXM product lines, but APOGEE MBC and MEC controllers have no planned fix. Network segmentation and access controls are recommended as compensating controls.

What this means

What could happen

An attacker can send specially crafted network traffic to these building automation controllers, causing them to stop responding and become unavailable. This could disrupt HVAC, lighting, or other critical building systems until the device is manually restarted.

Who's at risk

Building automation and facility management teams responsible for HVAC, lighting, and environmental controls in commercial buildings and facilities. This affects anyone running Siemens APOGEE, TALON, or Desigo PXC/PXM controllers for building climate and system management.

How it could be exploited

An attacker on the network (or with network access to affected products) sends malformed BACnet or P2 Ethernet protocol packets to trigger a denial of service condition in the Nucleus RTOS kernel. The attack requires no authentication and can be launched remotely across the network.

Prerequisites

Network reachability to the affected device on BACnet or P2 Ethernet ports
No authentication or credentials required

Remotely exploitableNo authentication requiredLow attack complexityNo patch available for APOGEE MBC/MEC productsAffects non-safety building automation systems

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (23)

19 with fix4 EOL

ProductAffected VersionsFix Status

APOGEE PXC Compact (BACnet)< V3.5.73.5.7

APOGEE PXC Compact (P2 Ethernet)< V2.8.212.8.21

APOGEE PXC Modular (BACnet)< V3.5.73.5.7

APOGEE PXC Modular (P2 Ethernet)< V2.8.212.8.21

Desigo PXC00-E.D≥ V2.3, < V6.30.376.30.37

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDFor APOGEE MBC and MEC products with no fix available, disable the FTP service if it has been enabled

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

APOGEE PXC Compact (BACnet)

HOTFIXUpdate APOGEE PXC Compact (BACnet) to firmware version 3.5.7 or later

HOTFIXUpdate APOGEE PXC Modular (BACnet) to firmware version 3.5.7 or later

HOTFIXUpdate TALON TC Compact (BACnet) to firmware version 3.5.7 or later

HOTFIXUpdate TALON TC Modular (BACnet) to firmware version 3.5.7 or later

APOGEE PXC Compact (P2 Ethernet)

HOTFIXUpdate APOGEE PXC Compact (P2 Ethernet) to firmware version 2.8.21 or later

HOTFIXUpdate APOGEE PXC Modular (P2 Ethernet) to firmware version 2.8.21 or later

All products

HOTFIXUpdate all Desigo PXC and PXM products to firmware version 6.30.37 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE MBC (PPC) (BACnet). Apply the following compensating controls:

HARDENINGImplement network access controls to restrict traffic to affected building automation controllers from untrusted networks

HARDENINGSegment building automation systems from general corporate networks using firewalls or VLANs

CVEs (1)

CVE-2022-38371

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close