SSA-162506

Siemens Security Advisory by Siemens ProductCERT

SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series

Publication Date:	2020-04-14
Last Update:	2022-05-10
Current Version:	V1.3
CVSS v3.1 Base Score:	7.1

SUMMARY

SIMOTICS CONNECT 400, Desigo (Power PC-based), APOGEE MEC/MBC/PXC and TALON TC products are affected by a DHCP Client vulnerability as initially reported in SSA-434032 for the Mentor Nucleus Networking Module.

Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions	Remediation
APOGEE MEC/MBC/PXC (P2): All versions < V2.8.2	Currently no fix is planned Use static IP address configuration See further recommendations from section Workarounds and Mitigations
APOGEE PXC Series (BACnet): All versions < V3.5.3	Update to V3.5.3 or later version See further recommendations from section Workarounds and Mitigations
APOGEE PXC Series (P2): All versions >= V2.8.2 and < V2.8.19	Update to V2.8.19 or later version See further recommendations from section Workarounds and Mitigations
Desigo PXC00-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC00-U: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC001-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC12-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC22-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC22.1-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC36.1-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC50-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC64-U: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC100-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC128-U: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXC200-E.D: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
Desigo PXM20-E: All versions >= V2.3x and < V6.00.327	Update to V6.00.327 or later version https://support.industry.siemens.com/cs/ww/en/view/109791941/ See further recommendations from section Workarounds and Mitigations
SIMOTICS CONNECT 400: All versions < V0.3.0.330	Update to V0.3.0.330 or later version https://support.industry.siemens.com/cs/ww/en/view/109778383/ See further recommendations from section Workarounds and Mitigations
TALON TC Series (BACnet): All versions < V3.5.3	Update to V3.5.3 or later version See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.)
APOGEE MEC, MBC, PXC (versions prior to V2.8.2): Use static IP address configuration as described above
APOGEE PXC Series and TALON TC Series products: If using static IP address is not possible, update to the fix version listed above or contact your local Siemens office for support

Product specific remediations or mitigations can be found in the section Affected Products and Solution.

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

SIMOTICS CONNECT 400 is a connector and sensor box, mounted on low-voltage motors to provide analytics data for the MindSphere application SIDRIVE IQ Fleet.

The APOGEE MEC (Modular Equipement Controller), MBC (Modular Building Controller), and PXC are Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System. These are legacy devices, replaced by the APOGEE PXC Modular and Compact Series.

The APOGEE PXC Modular and Compact Series are high-performance Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System.

The Desigo PX automation stations and operator units control and monitor building automation systems. They allow for alarm signaling, time-based programs and trend logging.

The TALON TC Modular and Compact Series are high-performance Direct Digital Control (DDC) devices and an integral part of the TALON Automation System.

VULNERABILITY CLASSIFICATION

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2019-13939

By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value.

The vulnerability could affect availability and integrity of the device. Adjacent network access is required, but no authentication and no user interaction is needed to conduct an attack.

CVSS v3.1 Base Score	7.1
CVSS Vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C
CWE:	CWE-840: Business Logic Errors

ADDITIONAL INFORMATION

Products listed in this advisory are based on Mentor Nucleus NET. See SSA-434032 for the related security advisory.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2020-04-14): Publication Date

V1.1 (2021-01-12): Added solution for Desigo PXC and PXM20

V1.2 (2022-04-12): Listed all affected Desigo PXC and PXM20 products explicitly. Added solution for APOGEE PXC Series (BACnet) and TALON TC Series (BACnet)

V1.3 (2022-05-10): Added solution for APOGEE PXC Series (P2)

Siemens Security Advisories are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens’ Global Website https://new.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.

SSA-162506