Buffer Overflow Vulnerability in Web Server of APOGEE and TALON Automation Devices
Act Now9.8SSA-944498Sep 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability exists in the integrated web server of multiple Siemens APOGEE and TALON automation controller models. A remote attacker can exploit this vulnerability by sending a specially crafted network request to execute arbitrary code with root privileges on the affected device. Affected products include APOGEE MBC/MEC/PXC and TALON TC devices. Siemens has released patches for BACnet variants but no fix is available for P2 Ethernet variants running firmware V2.6.3 or later (MBC/MEC) and V2.8 or later (PXC).
What this means
What could happen
An attacker could run arbitrary code with root privileges on these automation controllers, potentially disrupting HVAC, lighting, and other building systems operations or stealing sensitive control system data.
Who's at risk
Building automation and HVAC system operators using Siemens APOGEE or TALON controllers, particularly those relying on P2 Ethernet or BACnet connectivity. Equipment affected includes APOGEE MBC, MEC, PXC Compact and Modular controllers, and TALON TC Compact and Modular controllers used in energy management applications.
How it could be exploited
An attacker sends a specially crafted network request to the web server port on an affected device. The buffer overflow in the web server allows the attacker to execute arbitrary code with root privileges on the device without needing valid credentials.
Prerequisites
- Network access to the web server port (typically port 80 or 443) on the affected device
- The device must be running a vulnerable firmware version
remotely exploitableno authentication requiredlow complexityaffects critical automation systemsno patch available for P2 Ethernet variants
Exploitability
Moderate exploit probability (EPSS 2.9%)
Affected products (8)
4 with fix4 EOL
ProductAffected VersionsFix Status
APOGEE PXC Compact (BACnet)< V3.5.33.5.3
APOGEE PXC Modular (BACnet)< V3.5.33.5.3
TALON TC Compact (BACnet)< V3.5.33.5.3
TALON TC Modular (BACnet)< V3.5.33.5.3
APOGEE MBC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE MEC (PPC) (P2 Ethernet)≥ V2.6.3No fix (EOL)
APOGEE PXC Compact (P2 Ethernet)≥ V2.8No fix (EOL)
APOGEE PXC Modular (P2 Ethernet)≥ V2.8No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2APOGEE PXC Compact (P2 Ethernet)
HARDENINGFor APOGEE MBC/MEC (P2 Ethernet) and APOGEE PXC Compact/Modular (P2 Ethernet) devices with no available fix, implement network segmentation to restrict access to the web server ports from untrusted networks
All products
WORKAROUNDImplement firewall rules to block unauthorized access to the web server ports on affected devices, limiting access to trusted engineering workstations and management networks only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
APOGEE PXC Compact (BACnet)
HOTFIXUpdate APOGEE PXC Compact (BACnet), APOGEE PXC Modular (BACnet), TALON TC Compact (BACnet), and TALON TC Modular (BACnet) to firmware version 3.5.3 or later
All products
HARDENINGDisable the integrated web server on affected devices if it is not required for operations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/883d8b1a-a139-415d-b25e-84db4f1f7107