SSA-162506

Siemens Security Advisory by Siemens ProductCERT

SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series

Publication Date:	2020-04-14
Last Update:	2025-06-10
Current Version:	V1.4
CVSS v3.1 Base Score:	7.1
CVSS v4.0 Base Score:	7.1

SUMMARY

SIMOTICS CONNECT 400, Desigo (Power PC-based), APOGEE MEC/MBC/PXC and TALON TC products are affected by a DHCP Client vulnerability as initially reported in SSA-434032 for the Mentor Nucleus Networking Module.

Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
APOGEE MEC/MBC/PXC (P2) All versions < V2.8.2 affected by CVE-2019-13939	Currently no fix is planned See recommendations from section Workarounds and Mitigations
APOGEE PXC Compact (BACnet) All versions < V3.5.3 affected by CVE-2019-13939	Update to V3.5.3 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations
APOGEE PXC Compact (P2 Ethernet) All versions >= V2.8.2 < V2.8.19 affected by CVE-2019-13939	Update to V2.8.19 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations
APOGEE PXC Modular (BACnet) All versions < V3.5.3 affected by CVE-2019-13939	Update to V3.5.3 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations
APOGEE PXC Modular (P2 Ethernet) All versions >= V2.8.2 < V2.8.19 affected by CVE-2019-13939	Update to V2.8.19 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations
Desigo PXC00-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC00-U All versions >= V2.3x and < V6.00.327 affected by CVE-2019-13939	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC001-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC12-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC22-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC22.1-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC36.1-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC50-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC64-U All versions >= V2.3x and < V6.00.327 affected by CVE-2019-13939	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC100-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC128-U All versions >= V2.3x and < V6.00.327 affected by CVE-2019-13939	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC200-E.D All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXM20-E All versions >= V2.3 < V6.0.327 affected by CVE-2019-13939	Update to V6.0.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
SIMOTICS CONNECT 400 All versions < V0.3.0.330 affected by CVE-2019-13939	Update to V0.3.0.330 or later version https://support.industry.siemens.com/cs/ww/en/view/109778383/ See further recommendations from section Workarounds and Mitigations
TALON TC Compact (BACnet) All versions < V3.5.3 affected by CVE-2019-13939	Update to V3.5.3 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations
TALON TC Modular (BACnet) All versions < V3.5.3 affected by CVE-2019-13939	Update to V3.5.3 or later version https://partnerportal.extranet.dc.siemens.com/ See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE, Desigo, and TALON products.)
APOGEE MEC, MBC, PXC (versions prior to V2.8.2): Use static IP address configuration as described above
APOGEE PXC Series and TALON TC Series products: If using static IP address is not possible, update to the fix version listed above or contact your local Siemens office for support

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

APOGEE MEC (Modular Equipement Controller), MBC (Modular Building Controller), and PXC devices are Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System. These are legacy devices, replaced by the APOGEE PXC Modular and Compact Series.

APOGEE PXC Modular and Compact Series devices are high-performance Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System.

Desigo PXC00-E.D: System controller BACnet/IP. Article No: BPZ:PXC00-E.D

Desigo PXC100-E.D: Automation station BACnet/IP, with up to 200 data points. Article No: BPZ:PXC100-E.D

Desigo PXC12-E.D: Automation station with 12 data points and BACnet on IP. Article No: BPZ:PXC12-E.D

Desigo PXC200-E.D: Automation station BACnet/IP, with more than 200 data points. Article No: BPZ:PXC200-E.D

Desigo PXC22-E.D: Automation station with 22 data points and BACnet on IP. Article No: BPZ:PXC22-E.D

Desigo PXC22.1-E.D: Automation station with 22 data points, extendable and BACnet on IP. Article No: S55372-C119

Desigo PXC36.1-E.D: Automation station with 36 data points, extendable and BACnet on IP. Article No: S55372-C121

Desigo PXC50-E.D: Automation station BACnet/IP, with up to 80 data points. Article No: S55372-C110

Desigo PXM20-E: Operator unit with BACnet on IP. Article No: BPZ:PXM20-E

SIMOTICS CONNECT 400 is a connector and sensor box, mounted on low-voltage motors to provide analytics data for the MindSphere application SIDRIVE IQ Fleet.

TALON TC Modular and Compact Series devices are high-performance Direct Digital Control (DDC) devices and an integral part of the TALON Automation System.

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2019-13939

By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

CVSS v3.1 Base Score	7.1
CVSS v3.1 Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVSS v4.0 Base Score	7.1
CVSS v4.0 Vector	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
CWE	CWE-20: Improper Input Validation

ADDITIONAL INFORMATION

Products listed in this advisory are based on Mentor Nucleus NET. See SSA-434032 for the related security advisory.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2020-04-14):	Publication Date
V1.1 (2021-01-12):	Added solution for Desigo PXC and PXM20
V1.2 (2022-04-12):	Listed all affected Desigo PXC and PXM20 products explicitly. Added solution for APOGEE PXC Series (BACnet) and TALON TC Series (BACnet)
V1.3 (2022-05-10):	Added solution for APOGEE PXC Series (P2)
V1.4 (2025-06-10):	CVE-2019-13939: Added CVSSv4.0 vector and changed CWE from CWE-840 to CWE-20

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.