Denial of Service Vulnerability in FTP Server of Nucleus RTOS based APOGEE, TALON and Desigo PXC/PXM Products
Plan Patch7.5SSA-935500Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A denial of service vulnerability exists in the Nucleus RTOS used by Siemens APOGEE, TALON, and Desigo building automation controllers. The vulnerability is in the FTP server component and can be triggered by sending a specially crafted FTP request that causes the device to consume excessive resources and become unresponsive. Affected devices will lose all control functionality (HVAC, lighting, energy management) until manually rebooted. The vulnerability stems from improper resource handling in the underlying Nucleus real-time operating system.
What this means
What could happen
An attacker on the network can send malicious FTP requests to crash the affected device, causing loss of building automation or process control functionality until the device is manually rebooted.
Who's at risk
Building automation operators and facility managers running Siemens APOGEE, TALON, or Desigo PXC/PXM controllers. These devices manage HVAC, lighting, energy, and other critical building systems in commercial facilities. APOGEE MBC and MEC controllers with no available patch are particularly at risk.
How it could be exploited
An attacker with network access to the FTP port (typically port 21) on the device sends a specially crafted FTP request that exhausts system resources, triggering a denial of service condition. No authentication is required; the attack can be launched against the FTP service directly.
Prerequisites
- Network access to FTP port (21) on the affected device
- No credentials required
- Device must be running a vulnerable version of Nucleus RTOS
Remotely exploitable over networkNo authentication requiredLow complexity attackFTP service enabled by default on vulnerable devicesAPOGEE MBC and MEC products have no patch available (end-of-life)
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (23)
19 with fix4 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)< V3.5.73.5.7
APOGEE PXC Compact (P2 Ethernet)< V2.8.212.8.21
APOGEE PXC Modular (BACnet)< V3.5.73.5.7
APOGEE PXC Modular (P2 Ethernet)< V2.8.212.8.21
Desigo PXC00-E.D≥ V2.3, < V6.30.376.30.37
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDRestrict network access to FTP port (21) on affected devices using firewall rules or network segmentation; block external connections to the FTP service
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet) and APOGEE PXC Compact (P2 Ethernet) to version 2.8.21 or later
HOTFIXUpdate APOGEE PXC Modular (BACnet) and APOGEE PXC Modular (P2 Ethernet) to version 3.5.7 or later
HOTFIXUpdate TALON TC Compact and TALON TC Modular (BACnet) to version 3.5.7 or later
All products
HOTFIXUpdate all Desigo PXC and PXM products to firmware version 6.30.37 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet), APOGEE MBC (PPC) (BACnet), APOGEE MBC (PPC) (P2 Ethernet). Apply the following compensating controls:
HARDENINGSegment building automation and process control networks from general IT networks to limit attacker access to FTP ports
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7fe2cabb-043b-459d-b66d-aec8133daa2d