Siemens APOGEE and TALON
Plan PatchCVSS 8.8ICS-CERT ICSA-22-349-16Dec 13, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
APOGEE PXC and TALON TC field panels contain multiple vulnerabilities that could allow authenticated attackers to escalate privileges and compromise system integrity. The vulnerabilities include: (1) CVE-2022-45937, a privilege management flaw allowing low-privilege authenticated users to gain high-privilege access; (2) CVE-2020-28388, predictable TCP/IP Initial Sequence Numbers in the Nucleus RTOS kernel used by these devices; and (3) multiple DNS implementation flaws in the Nucleus RTOS. Affected versions are BACnet models before V3.5.5 and P2 Ethernet models before V2.8.20.
What this means
What could happen
An authenticated attacker with low-level access to these field panels could escalate privileges to administrative level and take control of HVAC, lighting, or other building systems controlled by the device. Additionally, predictable TCP sequence numbers could allow an attacker on the network to forge TCP packets and intercept or hijack device communications.
Who's at risk
Building automation and HVAC technicians, facilities managers, and utilities responsible for operating Siemens APOGEE PXC and TALON TC field panels (especially those used in district energy, multi-building campuses, or utility control systems). Risk is higher in environments where field panel access is granted to contractors or where field technicians have weaker credential hygiene.
How it could be exploited
An attacker with valid user credentials (or who has compromised a low-privilege user account) can connect to the field panel and exploit the privilege escalation vulnerability (CVE-2022-45937) to gain administrative access. Alternatively, an attacker on the same network segment could exploit the predictable TCP sequence numbers to forge packets and hijack connections to the device, or launch DNS cache poisoning attacks through the flawed DNS implementation.
Prerequisites
- Valid low-privilege user account credentials to access the field panel
- Network connectivity to the field panel (same network segment for TCP sequence number exploitation)
- Knowledge of or ability to predict TCP sequence numbers for connection hijacking
Remotely exploitable via networkPrivilege escalation allows attacker to gain admin-level controlTCP/IP implementation flaws could enable connection hijackingAffects building automation systems which can impact occupant safety and operationsRequires valid credentials but credential compromise or weak access controls increase risk
Exploitability
Unlikely to be exploited — EPSS score 0.9%
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)<V3.5.53.5.5
APOGEE PXC Compact (P2 Ethernet)<V2.8.202.8.20
APOGEE PXC Modular (BACnet)<V3.5.53.5.5
APOGEE PXC Modular (P2 Ethernet)<V2.8.202.8.20
TALON TC Compact (BACnet)<V3.5.53.5.5
TALON TC Modular (BACnet)<V3.5.53.5.5
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDRestrict network access to field panels using firewall rules; ensure panels are not directly accessible from the Internet or untrusted networks
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Series (BACnet) to version 3.5.5 or later
HOTFIXUpdate TALON TC Series (BACnet) to version 3.5.5 or later
APOGEE PXC Compact (P2 Ethernet)
HOTFIXUpdate APOGEE PXC Series (P2 Ethernet) to version 2.8.20 or later
Long-term hardening
0/3HARDENINGIsolate building automation networks from corporate IT networks using network segmentation or air-gapping
HARDENINGReview and enforce strong password policies and multi-factor authentication (if supported) for field panel user accounts
HARDENINGIf remote access to field panels is required, route all access through a VPN with current security patches and monitor for unauthorized connection attempts
CVEs (8)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e9e344be-fe0f-4566-a83b-14089de90925Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.