Siemens Desigo PXC and DXR Devices Uncaught Exception (CVE-2021-41545)

2023-01-2500:00:00

www.tenable.com

siemens

desigo

pxc

dxr

vulnerability

cve-2021-41545

bacnet

protocol

tenable.ot

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.6%

JSON

A vulnerability has been identified in Desigo DXR2 (All versions < V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions < V02.20.142.10-10884). When the controller receives a specific BACnet protocol packet, an exception causes the BACnet communication function to go into a out of work state and could result in the controller going into a factory reset state.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500787);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2021-41545");

  script_name(english:"Siemens Desigo PXC and DXR Devices Uncaught Exception (CVE-2021-41545)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Desigo DXR2 (All versions <
V01.21.142.5-22), Desigo PXC3 (All versions < V01.21.142.4-18), Desigo
PXC4 (All versions < V02.20.142.10-10884), Desigo PXC5 (All versions <
V02.20.142.10-10884). When the controller receives a specific BACnet
protocol packet, an exception causes the BACnet communication function
to go into a out of work state and could result in the controller
going into a factory reset state.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-662649.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-132-10");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends updating to the latest software version:

- Desigo DXR2: Update to v01.21.142.5-22 or later 
- Desigo PXC3: Update to v01.21.142.4-18 or later 
- Desigo PXC4: Update to v02.20.142.10-10884 or later 
- Desigo PXC5: Update to v02.20.142.10-10884 or later

Contact Siemens for update information.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemensâ
operational guidelines for industrial security and following the recommendations in the product manuals.

For additional information, please refer to Siemens Security Advisory SSA-626968

For additional information, please refer to Siemens Security Advisory SSA-662649");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-41545");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:desigo_dxr2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:desigo_pxc3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:desigo_pxc4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:desigo_pxc5_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:desigo_dxr2_firmware" :
        {"versionEndExcluding" : "01.21.142.5-22", "family" : "Desigo"},
    "cpe:/o:siemens:desigo_pxc3_firmware" :
        {"versionEndExcluding" : "01.21.142.4-18", "family" : "Desigo"},
    "cpe:/o:siemens:desigo_pxc4_firmware" :
        {"versionEndExcluding" : "02.20.142.10-10884", "family" : "Desigo"},
    "cpe:/o:siemens:desigo_pxc5_firmware" :
        {"versionEndExcluding" : "02.20.142.10-10884", "family" : "Desigo"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemensdesigo_dxr2_firmwarecpe:/o:siemens:desigo_dxr2_firmware
siemensdesigo_pxc3_firmwarecpe:/o:siemens:desigo_pxc3_firmware
siemensdesigo_pxc4_firmwarecpe:/o:siemens:desigo_pxc4_firmware
siemensdesigo_pxc5_firmwarecpe:/o:siemens:desigo_pxc5_firmware

Vendor	Product	CPE
siemens	desigo_dxr2_firmware	cpe:/o:siemens:desigo_dxr2_firmware
siemens	desigo_pxc3_firmware	cpe:/o:siemens:desigo_pxc3_firmware
siemens	desigo_pxc4_firmware	cpe:/o:siemens:desigo_pxc4_firmware
siemens	desigo_pxc5_firmware	cpe:/o:siemens:desigo_pxc5_firmware