Siemens Nucleus RTOS-based APOGEE and TALON Products Improper Handling of Inconsistent Structural Elements (CVE-2021-31890)

2022-02-0700:00:00

www.tenable.com

8.7 High

AI Score

Confidence

High

JSON

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.1), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500571);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2021-31890");

  script_name(english:"Siemens Nucleus RTOS-based APOGEE and TALON Products Improper Handling of Inconsistent Structural Elements (CVE-2021-31890)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All
versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC
(PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All
versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE
PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular
(BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet)
(All versions < V2.8.19), Capital VSTAR (All versions with enabled
Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and <
V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016),
Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions
>= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and
< V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016),
Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions
>= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and <
V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All
versions < V2017.02.4), Nucleus ReadyStart V4 (All versions < V4.1.1),
Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All
versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC
Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet)
(All versions < V3.5.4). The total length of an TCP payload (set in
the IP header) is unchecked. This may lead to various side effects,
including Information Leak and Denial-of-Service conditions, depending
on the network buffer organization in memory. (FSMD-2021-0017)

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-03");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-223353.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends the following specific workarounds and mitigations users can apply to reduce the risk:

- Desigo products: update to v6.30.016 or later
- APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet): update to v2.8.19 or later. Contact a Siemens
office for support.
- TALON TC Compact (BACnet), TALON TC Modular (BACnet), APOGEE PXC Compact (BACnet), and APOGEE PXC Modular (BACnet):
update to v3.5.4 or later. Contact a Siemens office for support.

- CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address
configuration instead (Note the DHCP client is disabled by default on APOGEE/TALON and Desigo products).
- CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note the FTP service is
disabled by default on Desigo products).

As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT
environment.

For more information see Siemens Security Advisory SSA-114589");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31890");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(240);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/11/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_building_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_equiment_controller_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_compact_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:apogee_modular_building_controller_firmware" :
        {"family" : "PxcModular"},
    "cpe:/o:siemens:apogee_modular_equiment_controller_firmware" :
        {"family" : "PxcModular"},
    "cpe:/o:siemens:apogee_pxc_compact_firmware" :
        {"family" : "PxcCompact"},
    "cpe:/o:siemens:apogee_pxc_modular_firmware" :
        {"family" : "PxcModular"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemensapogee_modular_building_controller_firmwarecpe:/o:siemens:apogee_modular_building_controller_firmware
siemensapogee_modular_equiment_controller_firmwarecpe:/o:siemens:apogee_modular_equiment_controller_firmware
siemensapogee_pxc_compact_firmwarecpe:/o:siemens:apogee_pxc_compact_firmware
siemensapogee_pxc_modular_firmwarecpe:/o:siemens:apogee_pxc_modular_firmware

Vendor	Product	CPE
siemens	apogee_modular_building_controller_firmware	cpe:/o:siemens:apogee_modular_building_controller_firmware
siemens	apogee_modular_equiment_controller_firmware	cpe:/o:siemens:apogee_modular_equiment_controller_firmware
siemens	apogee_pxc_compact_firmware	cpe:/o:siemens:apogee_pxc_compact_firmware
siemens	apogee_pxc_modular_firmware	cpe:/o:siemens:apogee_pxc_modular_firmware