DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series
Plan Patch7.1SSA-162506Apr 14, 2020
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
DHCP client vulnerability in Siemens control products. The Mentor Nucleus Networking Module's DHCP client implementation fails to properly validate malformed DHCP responses, allowing an attacker on the local network to trigger a denial of service condition or corrupt device integrity. Affected products include SIMOTICS CONNECT 400, Desigo PXC/PXM building automation controllers (Power PC-based), APOGEE building management controllers, and TALON TC controllers. Siemens has released firmware updates for most products; APOGEE MEC/MBC/PXC (P2) has no patch and will remain vulnerable.
What this means
What could happen
An attacker on the local network can send malformed DHCP responses to these controllers, causing a denial of service (device stops responding) or corrupting device integrity. For water/utility operators, this means building automation and energy management systems could become unresponsive, preventing remote monitoring and control of critical infrastructure.
Who's at risk
Energy and water utility operators using Siemens building automation controllers (Desigo PXC/PXM series) and controls systems (APOGEE, TALON TC, SIMOTICS CONNECT 400) for facility management, HVAC, or energy monitoring. Any site where these controllers manage critical infrastructure monitoring or control and rely on DHCP for network configuration.
How it could be exploited
An attacker on the same network segment or VLAN as the affected device crafts a malicious DHCP response packet and sends it to the controller. The vulnerable DHCP client processes the malformed packet without proper validation, triggering a crash or integrity corruption. No special network positioning or complex attack steps required if the attacker already has Layer 2 or Layer 3 network access to the device.
Prerequisites
- Network access to the same Layer 2 broadcast domain (local network, VLAN, or network segment) as the affected device
- No authentication required to send DHCP packets
- Device must be configured to use DHCP (not static IP)
remotely exploitable via networklow complexity attackno authentication requiredaffects building automation and critical infrastructure monitoringdenial of service possibleunpatched products will remain vulnerable indefinitely
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (21)
20 with fix1 EOL
ProductAffected VersionsFix Status
APOGEE MEC/MBC/PXC (P2)< V2.8.2No fix (EOL)
APOGEE PXC Compact (BACnet)< V3.5.33.5.3
APOGEE PXC Compact (P2 Ethernet)≥ V2.8.2, < V2.8.192.8.19
APOGEE PXC Modular (BACnet)< V3.5.33.5.3
APOGEE PXC Modular (P2 Ethernet)≥ V2.8.2, < V2.8.192.8.19
Remediation & Mitigation
0/8
Do now
0/1APOGEE MEC/MBC/PXC (P2)
WORKAROUNDFor APOGEE MEC/MBC/PXC (P2) with no available patch, configure the device to use a static IP address instead of DHCP to eliminate the attack vector
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact and Modular (BACnet) to firmware version 3.5.3 or later
HOTFIXUpdate TALON TC Compact and Modular (BACnet) to firmware version 3.5.3 or later
APOGEE PXC Compact (P2 Ethernet)
HOTFIXUpdate APOGEE PXC Compact and Modular (P2 Ethernet) to firmware version 2.8.19 or later
SIMOTICS CONNECT 400
HOTFIXUpdate SIMOTICS CONNECT 400 to firmware version 0.3.0.330 or later
All products
HOTFIXUpdate Desigo PXC-E.D series (PXC00-E.D, PXC001-E.D, PXC12-E.D, PXC22-E.D, PXC22.1-E.D, PXC36.1-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D, and PXM20-E) to firmware version 6.0.327 or later
HOTFIXUpdate Desigo PXC-U series (PXC00-U, PXC64-U, and PXC128-U) to firmware version 6.00.327 or later
Mitigations - no patch available
0/1APOGEE MEC/MBC/PXC (P2) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment building automation and energy management controllers on a separate VLAN or network with restricted access from untrusted sources to limit DHCP exposure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ee07a8b6-e15a-48de-868c-05c8dd6b5b78