10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.5%
A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3).
The web server of affected devices lacks proper bounds checking when parsing the Host parameter in HTTP requests, which could lead to a buffer overflow. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the device with root privileges.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500597);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/11");
script_cve_id("CVE-2021-27391");
script_name(english:"Siemens APOGEE and TALON Buffer Copy Without Checking Size of Input (CVE-2021-27391)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet)
(All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions
>= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3),
APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC
Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2
Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All
versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3).
The web server of affected devices lacks proper bounds checking when
parsing the Host parameter in HTTP requests, which could lead to a
buffer overflow. An unauthenticated remote attacker could exploit this
vulnerability to execute arbitrary code on the device with root
privileges.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdf");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-257-07");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens recommends updating the following products to v3.5.3 or later (login required):
- APOGEE PXC Compact (BACnet)
- APOGEE PXC Modular (BACnet)
- TALON TC Compact (BACnet)
- TALON TC Modular (BACnet)
For products not listed above Siemens has recommended the following workarounds and mitigations:
- Contact a Siemens office for support.
- Restrict access to the device, especially to the web interface. 80/TCP and 443/TCP should only be connected to trusted
IP addresses.
- Disable the integrated web server.
As a general security measure, Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT
environment.
For more information see Siemens Security Advisory SSA-944498");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-27391");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(120);
script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/14");
script_set_attribute(attribute:"patch_publication_date", value:"2021/09/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware" :
{"versionEndIncluding" : "2.6.3", "family" : "Apogee"},
"cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware" :
{"versionEndIncluding" : "2.6.3", "family" : "Apogee"},
"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware" :
{"versionEndExcluding" : "3.5.3", "family" : "Apogee"},
"cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware" :
{"versionEndIncluding" : "2.8", "family" : "PxcCompact"},
"cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware" :
{"versionEndExcluding" : "3.5.3", "family" : "PxcModular"},
"cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware" :
{"versionEndIncluding" : "2.8", "family" : "PxcModular"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Vendor | Product | Version | CPE |
---|---|---|---|
siemens | apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware | cpe:/o:siemens:apogee_mbc_%28ppc%29_%28p2_ethernet%29_firmware | |
siemens | apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware | cpe:/o:siemens:apogee_mec_%28ppc%29_%28p2_ethernet%29_firmware | |
siemens | apogee_pxc_bacnet_automation_controller_firmware | cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware | |
siemens | apogee_pxc_compact_%28p2_ethernet%29_firmware | cpe:/o:siemens:apogee_pxc_compact_%28p2_ethernet%29_firmware | |
siemens | apogee_pxc_modular_%28bacnet%29_firmware | cpe:/o:siemens:apogee_pxc_modular_%28bacnet%29_firmware | |
siemens | apogee_pxc_modular_%28p2_ethernet%29_firmware | cpe:/o:siemens:apogee_pxc_modular_%28p2_ethernet%29_firmware |
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.9 High
AI Score
Confidence
High
0.008 Low
EPSS
Percentile
81.5%