-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-162506: DHCP Client Vulnerability in SIMOTICS CONNECT 400, Desigo PXC/PXM, APOGEE MEC/MBC/PXC, APOGEE PXC Series, and TALON TC Series Publication Date: 2020-04-14 Last Update: 2022-05-10 Current Version: 1.3 CVSS v3.1 Base Score: 7.1 SUMMARY ======= SIMOTICS CONNECT 400, Desigo (Power PC-based), APOGEE MEC/MBC/PXC and TALON TC products are affected by a DHCP Client vulnerability as initially reported in SSA-434032 for the Mentor Nucleus Networking Module. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available. AFFECTED PRODUCTS AND SOLUTION ============================== * APOGEE MEC/MBC/PXC (P2) - Affected versions: All versions < V2.8.2 - Remediation: Currently no fix is planned Use static IP address configuration See further recommendations from section "Workarounds and Mitigations" * APOGEE PXC Series (BACnet) - Affected versions: All versions < V3.5.3 - Remediation: Update to V3.5.3 or later version See further recommendations from section "Workarounds and Mitigations" * APOGEE PXC Series (P2) - Affected versions: All versions >= V2.8.2 and < V2.8.19 - Remediation: Update to V2.8.19 or later version See further recommendations from section "Workarounds and Mitigations" * Desigo PXC00-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC00-U - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC001-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC12-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC22-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC22.1-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC36.1-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC50-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC64-U - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC100-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC128-U - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXC200-E.D - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * Desigo PXM20-E - Affected versions: All versions >= V2.3x and < V6.00.327 - Remediation: Update to V6.00.327 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109791941/ * SIMOTICS CONNECT 400 - Affected versions: All versions < V0.3.0.330 - Remediation: Update to V0.3.0.330 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109778383/ * TALON TC Series (BACnet) - Affected versions: All versions < V3.5.3 - Remediation: Update to V3.5.3 or later version See further recommendations from section "Workarounds and Mitigations" WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products.) * APOGEE MEC, MBC, PXC (versions prior to V2.8.2): Use static IP address configuration as described above * APOGEE PXC Series and TALON TC Series products: If using static IP address is not possible, update to the fix version listed above or contact your local Siemens office for support Product specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMOTICS CONNECT 400 is a connector and sensor box, mounted on low-voltage motors to provide analytics data for the MindSphere application SIDRIVE IQ Fleet. The APOGEE MEC (Modular Equipement Controller), MBC (Modular Building Controller), and PXC are Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System. These are legacy devices, replaced by the APOGEE PXC Modular and Compact Series. The APOGEE PXC Modular and Compact Series are high-performance Direct Digital Control (DDC) devices and an integral part of the APOGEE Automation System. The Desigo PX automation stations and operator units control and monitor building automation systems. They allow for alarm signaling, time-based programs and trend logging. The TALON TC Modular and Compact Series are high-performance Direct Digital Control (DDC) devices and an integral part of the TALON Automation System. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2019-13939 By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value. The vulnerability could affect availability and integrity of the device. Adjacent network access is required, but no authentication and no user interaction is needed to conduct an attack. CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C CWE: CWE-840: Business Logic Errors ADDITIONAL INFORMATION ====================== Products listed in this advisory are based on Mentor Nucleus NET. See SSA-434032 for the related security advisory. For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2020-04-14): Publication Date V1.1 (2021-01-12): Added solution for Desigo PXC and PXM20 V1.2 (2022-04-12): Listed all affected Desigo PXC and PXM20 products explicitly. Added solution for APOGEE PXC Series (BACnet) and TALON TC Series (BACnet) V1.3 (2022-05-10): Added solution for APOGEE PXC Series (P2) TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2022 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmJ5qwAACgkQlm7gTEmy ujRKuA/+O+wg52jax7c7AcFfshXxmuZ3mxwulAK/tbsdvs5Nx2efrKy2KSOMyAd9 TVOUu8h9j20aLx+138OqeK6w8x3MTR1b+3AYknLXRWCgQw/aBLJxzdo20SXrchIW wxJVQ1iaVbNx1OVZJfV1htTKQwLvJyA78w5UES+/vs432idybPvbvVu9HwjVh23k dQRFZWIB2Y86crVIf1IFEZgVvUTiYXstjJ4N4VvFee8OdlUZffmluXHCOVC8S+mW 94z5T7WfIj7kR8hP3mqXYGDJTEVJCBxbFUoe9KGzScCZlD/UshyCiOayn7Wjln+h Y0xXl9Q4wY4ETmYS0YVS/NiHK9XzahOkwxeFh+2xnNX1QN6R7RzSQzFsuzsGUmFe MSKZdaNYJuO6Pq2D7LE0KP3K29mt1uEYC4smNvNu/ibdDBP9KE+bOS0X/JOPLi75 6KmdUf9EHn6lRHv4Tmz3vyMBTSyBi0EcEBZYYA7YeZjWyR5ygqy9tQ/xvLlC4m2+ p2FCopwRllo6DaTHDN6tlUwD8j+w3lIWzL11GJWbyoGLDczpNh3q+8Ec2A2MAJT7 B31cnUUoCzBJgJgKqI1zgeWgaV4AYTaTQy9UEXASlWDmYjA0fLlIOQNfJjHTCxQZ lph2O+jRGOf+YEYzY1oVVPIPb6TWKQ4M0+vj7swPH2JYcijfZhU= =pn8z -----END PGP SIGNATURE-----