Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2021-31881.NASL
HistoryFeb 07, 2022 - 12:00 a.m.

Siemens Nucleus RTOS-based APOGEE and TALON Products Out-of-Bounds Read (CVE-2021-31881)

2022-02-0700:00:00
This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11

8.2 High

AI Score

Confidence

High

JSON

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500584);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2021-31881");

  script_name(english:"Siemens Nucleus RTOS-based APOGEE and TALON Products Out-of-Bounds Read (CVE-2021-31881)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All
versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC
(PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All
versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE
PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular
(BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet)
(All versions < V2.8.19), Capital VSTAR (All versions with enabled
Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and <
V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016),
Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions
>= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and
< V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016),
Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions
>= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and <
V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All
versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC
Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet)
(All versions < V3.5.4). When processing a DHCP OFFER message, the
DHCP client application does not validate the length of the Vendor
option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-03");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends the following specific workarounds and mitigations users can apply to reduce the risk:

- Desigo products: update to v6.30.016 or later
- APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet): update to v2.8.19 or later. Contact a Siemens
office for support.
- TALON TC Compact (BACnet), TALON TC Modular (BACnet), APOGEE PXC Compact (BACnet), and APOGEE PXC Modular (BACnet):
update to v3.5.4 or later. Contact a Siemens office for support.

- CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address
configuration instead (Note the DHCP client is disabled by default on APOGEE/TALON and Desigo products).
- CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note the FTP service is
disabled by default on Desigo products).

As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT
environment.

For more information see Siemens Security Advisory SSA-114589");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31881");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(125);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_building_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_equiment_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_compact_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:apogee_modular_building_controller_firmware" :
        {"family" : "PxcModular"},
    "cpe:/o:siemens:apogee_modular_equiment_controller_firmware" :
        {"family" : "PxcModular"},
    "cpe:/o:siemens:apogee_pxc_compact_firmware" :
        {"family" : "PxcCompact"},
    "cpe:/o:siemens:apogee_pxc_modular_firmware" :
        {"family" : "PxcModular"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemensapogee_modular_building_controller_firmwarecpe:/o:siemens:apogee_modular_building_controller_firmware
siemensapogee_modular_equiment_controller_firmwarecpe:/o:siemens:apogee_modular_equiment_controller_firmware
siemensapogee_pxc_compact_firmwarecpe:/o:siemens:apogee_pxc_compact_firmware
siemensapogee_pxc_modular_firmwarecpe:/o:siemens:apogee_pxc_modular_firmware

Related

nessus 13
f5 1
ics 4
thn 2
cnvd 8
cvelist 8
cve 8
prion 8
malwarebytes 1
nessus
nessus
Siemens Nucleus RTOS-based APOGEE and TALON Products Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2021-31883)
2022-02-07 00:00:00
Siemens Nucleus RTOS-based APOGEE and TALON Products Buffer Access with Incorrect Length Value (CVE-2021-31885)
2022-02-07 00:00:00
Siemens Nucleus RTOS-based APOGEE and TALON Products Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2021-31882)
2022-02-07 00:00:00
f5
f5
K000135330 : Multiple Nucleus TCP/IP stack vulnerabilities
2023-06-30 00:00:00
ics
ics
Siemens Nucleus RTOS TCP/IP Stack
2021-11-17 12:00:00
Siemens Nucleus RTOS-based APOGEE and TALON Products (Update C)
2022-05-12 12:00:00
Siemens Capital VSTAR (Update A)
2022-11-10 12:00:00
thn
thn
13 New Flaws in Siemens Nucleus TCP/IP Stack Impact Safety-Critical Equipment
2021-11-10 10:11:00
Researchers Warn of Critical Security Bugs in Schneider Electric Modicon PLCs
2023-02-16 13:18:00
cnvd
cnvd
Buffer Overflow Vulnerability in Multiple Siemens Products (CNVD-2021-89442)
2021-11-11 00:00:00
Incorrect Zero Termination Vulnerability in Multiple Siemens Products (CNVD-2021-89436)
2021-11-11 00:00:00
Multiple Siemens products incorrectly zero-terminated vulnerabilities
2021-11-11 00:00:00
cvelist
cvelist
CVE-2021-31882
2021-11-09 11:31:55
CVE-2021-31884
2021-11-09 11:31:57
CVE-2021-31885
2021-11-09 11:31:58
cve
cve
CVE-2021-31884
2021-11-09 12:15:00
CVE-2021-31883
2021-11-09 12:15:00
CVE-2021-31881
2021-11-09 12:15:00
prion
prion
Design/Logic Flaw
2021-11-09 12:15:00
Stack overflow
2021-11-09 12:15:00
Design/Logic Flaw
2021-11-09 12:15:00
malwarebytes
malwarebytes
[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates
2021-11-10 14:30:23

8.2 High

AI Score

Confidence

High

JSON
Related for TENABLE_OT_SIEMENS_CVE-2021-31881.NASL
nessus13f51ics4thn2cnvd8cvelist8cve8prion8malwarebytes1