Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems
Act Now10ICS-CERT ICSA-24-137-12May 14, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems contain buffer overflow vulnerabilities (CVE-2024-22039, CVE-2024-22040, CVE-2024-22041) in the network communication stack. An unauthenticated attacker with access to the fire protection system network could send a specially crafted network message to trigger a buffer overflow, allowing arbitrary code execution on Compact Panels, Engineering Tools, and X300 Cloud Distribution devices, or cause the system to crash (denial of service). Affected products include Desigo Fire Safety UL X300 Cloud Distribution, Cerberus PRO UL Compact Panel FC922/924, Cerberus PRO UL Engineering Tool, Cerberus PRO UL X300 Cloud Distribution, Desigo Fire Safety UL Compact Panel FC2025/2050, and Desigo Fire Safety UL Engineering Tool.
What this means
What could happen
An attacker with access to the fire protection system network could run arbitrary code on Desigo and Cerberus fire safety panels or engineering tools, potentially disabling fire detection and alarm functions, or cause the system to crash and stop monitoring fires.
Who's at risk
Fire protection system operators and building managers who operate Siemens Desigo Fire Safety UL or Cerberus PRO UL systems should be concerned. Specifically affected are Compact Panels (FC922, FC924, FC2025, FC2050), engineering workstations, and cloud-connected X300 distribution devices. Any building with these fire detection and alarm systems installed is at risk if running unpatched firmware.
How it could be exploited
An attacker must first reach the fire protection system network (via compromised building network, shared network segment, or weak perimeter controls). Once on the network, they send a specially crafted message to the vulnerable communication port on an unpatched Desigo or Cerberus device, triggering a buffer overflow that allows them to execute commands or crash the system without needing credentials.
Prerequisites
- Network access to the fire protection system network segment
- No authentication required
- Device must be running a vulnerable firmware version (pre-MP4 for Compact Panels/Engineering Tools, pre-V4.3.0001 for X300 Cloud Distribution)
- Attacker must know or discover the IP address and listening port of the vulnerable device
Remotely exploitableNo authentication requiredLow complexity (standard network access is sufficient)High CVSS score (10.0 critical)Affects safety systems (fire protection)Affects compact panel devices (no fix planned for some models)Affects engineering tools (no fix planned)
Exploitability
Moderate exploit probability (EPSS 8.0%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Desigo Fire Safety UL X300 Cloud Distribution<V4.3.00014.3.0001
Cerberus PRO UL X300 Cloud Distribution<V4.3.00014.3.0001
Cerberus PRO UL Compact Panel FC922/924<MP4No fix (EOL)
Cerberus PRO UL Engineering Tool<MP4No fix (EOL)
Desigo Fire Safety UL Compact Panel FC2025/2050<MP4No fix (EOL)
Desigo Fire Safety UL Engineering Tool<MP4No fix (EOL)
Remediation & Mitigation
0/9
Do now
0/2HARDENINGIsolate the fire protection system network behind a firewall with rules that block inbound access from business networks and the internet
HARDENINGRestrict network access to fire protection devices to only authorized engineering workstations and monitoring stations
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Desigo Fire Safety UL X300 Cloud Distribution
HOTFIXUpdate Desigo Fire Safety UL X300 Cloud Distribution to version 4.3.0001 or later
Cerberus PRO UL X300 Cloud Distribution
HOTFIXUpdate Cerberus PRO UL X300 Cloud Distribution to version 4.3.0001 or later
Cerberus PRO UL Compact Panel FC922/924
HOTFIXUpdate Cerberus PRO UL Compact Panel FC922/924 to MP4 or later version if available from vendor
Desigo Fire Safety UL Compact Panel FC2025/2050
HOTFIXUpdate Desigo Fire Safety UL Compact Panel FC2025/2050 to MP4 or later version if available from vendor
Cerberus PRO UL Engineering Tool
HOTFIXUpdate Cerberus PRO UL Engineering Tool to MP4 or later version if available from vendor
Desigo Fire Safety UL Engineering Tool
HOTFIXUpdate Desigo Fire Safety UL Engineering Tool to MP4 or later version if available from vendor
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Cerberus PRO UL Compact Panel FC922/924, Cerberus PRO UL Engineering Tool, Desigo Fire Safety UL Compact Panel FC2025/2050, Desigo Fire Safety UL Engineering Tool. Apply the following compensating controls:
HARDENINGIf remote access to fire protection systems is required, require VPN with multi-factor authentication and keep VPN software updated
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fdd41a2b-cd12-4ea3-851a-be67e4988aed