Vulnerabilities in the Network Communication Stack in Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems
Act Now10SSA-953710May 14, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Buffer overflow vulnerabilities in the network communication stack of Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems could allow an unauthenticated attacker with network access to execute arbitrary code (CVE-2024-22039) or cause denial of service (CVE-2024-22040, CVE-2024-22041). The vulnerabilities affect Cerberus PRO UL Compact Panel FC922/924, Cerberus PRO UL Engineering Tool, Cerberus PRO UL X300 Cloud Distribution, Desigo Fire Safety UL Compact Panel FC2025/2050, Desigo Fire Safety UL Engineering Tool, and Desigo Fire Safety UL X300 Cloud Distribution. Siemens recommends updating to MP4 or later for Compact Panel and Engineering Tool products, and V4.3.0001 or later for X300 Cloud Distribution.
What this means
What could happen
An unauthenticated attacker with access to the fire safety system network could execute arbitrary code on control panels and engineering tools, potentially disabling fire detection and alarm capabilities, or crash these systems causing a denial of service.
Who's at risk
Fire protection system operators and facilities managers responsible for Desigo Fire Safety UL and Cerberus PRO UL systems need to act immediately. Affected equipment includes fire detection and alarm control panels (FC922, FC924, FC2025, FC2050), engineering workstations used to configure and maintain these systems, and cloud distribution systems. Any water utility, municipality, hospital, or industrial site using these Siemens fire safety products is at risk.
How it could be exploited
An attacker with network access to the fire protection system can send malformed packets to the network communication stack on the affected panels or engineering tools, exploiting buffer overflow vulnerabilities (CWE-120, CWE-125, CWE-119) to run arbitrary commands or crash the system without needing credentials.
Prerequisites
- Network access to the fire protection system network where the affected panels or engineering tools are located
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects safety systemscritical CVSS score (10.0)no patch available for Compact Panel and Engineering Tool variants
Exploitability
Moderate exploit probability (EPSS 8.0%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
Cerberus PRO UL X300 Cloud Distribution<V4.3.00014.3.0001
Cerberus PRO UL Engineering ToolAll versions < MP4No fix (EOL)
Desigo Fire Safety UL Compact Panel FC2025/2050All versions < MP4No fix (EOL)
Desigo Fire Safety UL X300 Cloud Distribution<V4.3.00014.3.0001
Desigo Fire Safety UL Engineering ToolAll versions < MP4No fix (EOL)
Cerberus PRO UL Compact Panel FC922/924All versions < MP4No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/8Cerberus PRO UL Compact Panel FC922/924
HOTFIXUpdate Cerberus PRO UL Compact Panel FC922/924 to MP4 or later version
Cerberus PRO UL Engineering Tool
HOTFIXUpdate Cerberus PRO UL Engineering Tool to MP4 or later version
Cerberus PRO UL X300 Cloud Distribution
HOTFIXUpdate Cerberus PRO UL X300 Cloud Distribution to V4.3.0001 or later
Desigo Fire Safety UL Compact Panel FC2025/2050
HOTFIXUpdate Desigo Fire Safety UL Compact Panel FC2025/2050 to MP4 or later version
Desigo Fire Safety UL Engineering Tool
HOTFIXUpdate Desigo Fire Safety UL Engineering Tool to MP4 or later version
Desigo Fire Safety UL X300 Cloud Distribution
HOTFIXUpdate Desigo Fire Safety UL X300 Cloud Distribution to V4.3.0001 or later
All products
HARDENINGIsolate fire protection system network from corporate IT network using firewalls and network segmentation to restrict unauthorized access
HARDENINGImplement network access controls to limit which devices can communicate with fire panel networks; disable remote access to engineering tools if not required
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f0c5a449-71f6-4496-b784-6e3b3fb01ff9