Siemens APOGEE and TALON Buffer Copy Without Checking Size of Input (CVE-2021-27391)

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500597);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");

  script_cve_id("CVE-2021-27391");

  script_name(english:"Siemens APOGEE and TALON Buffer Copy Without Checking Size of Input (CVE-2021-27391)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet)
(All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions
>= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3),
APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC
Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2
Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All
versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3).
The web server of affected devices lacks proper bounds checking when
parsing the Host parameter in HTTP requests, which could lead to a
buffer overflow. An unauthenticated remote attacker could exploit this
vulnerability to execute arbitrary code on the device with root
privileges.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-07");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends updating the following products to v3.5.3 or later (login required):

- APOGEE PXC Compact (BACnet)
- APOGEE PXC Modular (BACnet)
- TALON TC Compact (BACnet)
- TALON TC Modular (BACnet)

For products not listed above Siemens has recommended the following workarounds and mitigations:

- Contact a Siemens office for support.
- Restrict access to the device, especially to the web interface. 80/TCP and 443/TCP should only be connected to trusted
IP addresses.
- Disable the integrated web server.

As a general security measure, Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT
environment.

For more information see Siemens Security Advisory SSA-944498");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-27391");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(120);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware" :
        {"versionEndIncluding" : "2.6.3", "family" : "Apogee"},
    "cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware" :
        {"versionEndIncluding" : "2.6.3", "family" : "Apogee"},
    "cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware" :
        {"versionEndExcluding" : "3.5.3", "family" : "Apogee"},
    "cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware" :
        {"versionEndIncluding" : "2.8", "family" : "PxcCompact"},
    "cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware" :
        {"versionEndExcluding" : "3.5.3", "family" : "PxcModular"},
    "cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware" :
        {"versionEndIncluding" : "2.8", "family" : "PxcModular"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);