OTPulse
FeedAboutContact

Client-side Authentication in Desigo CC and Cerberus DMS

Act Now9.8SSA-836027Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Desigo CC and Cerberus DMS implement client-side only authentication for specific parts of client-server communication. Attackers could impersonate users or exploit the client-server protocol without authentication, as the authentication is not enforced on the server side.

What this means
What could happen
An attacker on the network could impersonate legitimate users and gain unauthorized access to building automation systems, potentially altering control logic, setpoints, or operational parameters without being detected or authenticated.
Who's at risk
This affects organizations running Desigo CC or Cerberus DMS building automation systems, particularly facility managers and utilities responsible for HVAC, lighting, and building climate control. Any version of these products is vulnerable, and no vendor patch is available.
How it could be exploited
An attacker with network access to the Desigo CC or Cerberus DMS client-server communication can craft protocol messages that bypass client-side authentication checks. Since authentication is not validated on the server, the attacker can impersonate any user and execute commands or access data as if they were an authenticated operator.
Prerequisites
  • Network access to Desigo CC or Cerberus DMS client-server communication ports
  • Ability to intercept or send crafted protocol messages to the affected systems
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety-critical building systemshigh CVSS score (9.8)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Cerberus DMSAll versionsNo fix (EOL)
Desigo CCAll versionsNo fix (EOL)
Desigo CC CompactAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
Cerberus DMS
HARDENINGImplement network segmentation to restrict access to Desigo CC and Cerberus DMS systems to authorized engineering and operations personnel only
All products
HARDENINGDeploy firewall rules to limit client-server communication to trusted internal networks and block external access
WORKAROUNDFollow Siemens recommended mitigations documented in support article 109813389
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

Cerberus DMS
HARDENINGMonitor network traffic to Desigo CC and Cerberus DMS for unauthorized connection attempts
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6c58a568-de98-41b8-8f21-4828778e518b
Client-side Authentication in Desigo CC and Cerberus DMS | CVSS 9.8 - OTPulse