Multiple Vulnerabilities in Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products
Act Now9.8SSA-114589Nov 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple memory safety and buffer management vulnerabilities in Nucleus RTOS affect Siemens building control products including APOGEE (MBC, MEC, PXC) controllers and Desigo/TALON automation platforms. These vulnerabilities allow remote code execution through crafted network packets without requiring authentication. The APOGEE MBC and MEC product lines have no patches available and are end-of-life; other affected products have vendor patches available.
What this means
What could happen
An attacker could remotely execute arbitrary code on building automation controllers, allowing them to alter HVAC setpoints, disable alarms, stop ventilation systems, or manipulate other critical building processes without needing a valid account or user interaction.
Who's at risk
Building automation operators, facility managers, and HVAC system integrators using Siemens APOGEE, Desigo, or TALON controllers for HVAC, lighting, and building management systems. This includes all municipal buildings, hospitals, commercial offices, and data centers relying on these controllers. Older APOGEE MBC and MEC models have no patch and are highest priority for network isolation or replacement.
How it could be exploited
An attacker on the network (or with network access to the device) sends a specially crafted network packet (BACnet or P2 Ethernet protocol) to the controller. The memory safety vulnerabilities in Nucleus RTOS are triggered, allowing the attacker to overwrite memory and execute arbitrary code on the device. No valid credentials are required.
Prerequisites
- Network access to the affected controller on BACnet or P2 Ethernet protocol port
- No authentication required
- Device must be running a vulnerable firmware version
Remotely exploitable over networkNo authentication requiredLow complexity exploitationHigh CVSS score (9.8 critical)No patch available for APOGEE MBC and MEC product linesAffects safety and critical building systems
Exploitability
Moderate exploit probability (EPSS 3.4%)
Affected products (23)
19 with fix4 EOL
ProductAffected VersionsFix Status
APOGEE MBC (PPC) (P2 Ethernet)All versionsNo fix (EOL)
APOGEE MEC (PPC) (BACnet)All versionsNo fix (EOL)
APOGEE MEC (PPC) (P2 Ethernet)All versionsNo fix (EOL)
APOGEE PXC Compact (BACnet)< V3.5.43.5.4
APOGEE PXC Compact (P2 Ethernet)< V2.8.192.8.19
Remediation & Mitigation
0/6
Do now
0/4APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact and Modular controllers to firmware V3.5.4 or later (BACnet) or V2.8.19 or later (P2 Ethernet)
WORKAROUNDFor APOGEE MBC and MEC controllers with no patch available: restrict network access to these devices using firewall rules; limit BACnet and P2 Ethernet traffic to authorized engineering workstations and management networks only
All products
HOTFIXUpdate all Desigo PXC and PXM controllers to firmware V6.30.016 or later
HOTFIXUpdate TALON TC Compact and Modular controllers to firmware V3.5.4 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE MBC (PPC) (BACnet). Apply the following compensating controls:
HARDENINGFor end-of-life APOGEE MBC and MEC controllers: plan replacement with current Desigo PXC product line that receives security updates
HARDENINGImplement network segmentation to isolate building automation controllers on a dedicated VLAN with restricted access to other network segments
CVEs (13)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/edd3e612-3ce7-43e0-b0b9-3db35faa152b