Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2017-9946.NASL
HistoryFeb 07, 2022 - 12:00 a.m.

Siemens BACnet Field Panels Authentication Bypass Using an Alternate Path or Channel (CVE-2017-9946)

2022-02-0700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.

  • A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device. (CVE-2017-9946)
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500107);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2017-9946");

  script_name(english:"Siemens BACnet Field Panels Authentication Bypass Using an Alternate Path or Channel (CVE-2017-9946)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions
<V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication
and download sensitive information from the device.

  - A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in
    all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp)
    could bypass the authentication and download sensitive information from the device. (CVE-2017-9946)");
  # https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-148078.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?39061797");
  # http://packetstormsecurity.com/files/169544/Siemens-APOGEE-PXC-TALON-TC-Authentication-Bypass.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c345dfe");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-285-05");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens
recommends countermeasures for products where updates are not, or not yet available.

- APOGEE PXC Compact (BACnet): Update to v3.5 or later version
- APOGEE PXC Compact (P2 Ethernet): Disable the integrated webserver
- APOGEE PXC Modular (BACnet): Update to v3.5 or later version
- APOGEE PXC Modular (P2 Ethernet): Disable the integrated webserver
- TALON TC Compact (BACnet): Update to v3.5 or later version
- TALON TC Modular (BACnet): Update to v3.5 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Siemens recommends disabling the integrated webserver when not in use
- Please contact a Siemens office for additional support

As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a
protected IT environment.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-148078");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9946");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(287);

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/10/23");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:apogee_pxc_firmware" :
        {"versionEndExcluding" : "3.5", "family" : "Apogee"},
    "cpe:/o:siemens:apogee_pxc_modular_firmware" :
        {"versionEndExcluding" : "3.5", "family" : "PxcModular"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemensapogee_pxc_bacnet_automation_controller_firmwarecpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware

Related

nvd 1
cve 1
prion 1
cvelist 1
nessus 1
zdt 1
packetstorm 1
ics 1
nvd
nvd
CVE-2017-9946
2017-10-23 08:29:00
cve
cve
CVE-2017-9946
2017-10-23 08:29:00
prion
prion
Authentication flaw
2017-10-23 08:29:00
cvelist
cvelist
CVE-2017-9946
2017-10-23 00:00:00
nessus
nessus
Siemens Apogee Improper Authentication
2019-11-08 00:00:00
zdt
zdt
Siemens APOGEE PXC / TALON TC Authentication Bypass Exploit
2022-10-28 00:00:00
packetstorm
packetstorm
Siemens APOGEE PXC / TALON TC Authentication Bypass
2022-10-28 00:00:00
ics
ics
Siemens BACnet Field Panels (Update A)
2022-06-16 12:00:00

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.5 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON
Related for TENABLE_OT_SIEMENS_CVE-2017-9946.NASL
nvd1cve1prion1cvelist1nessus1zdt1packetstorm1ics1