CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
83.6%
A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500107);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2017-9946");
script_xref(name:"ICSA", value:"17-285-05");
script_name(english:"Siemens BACnet Field Panels Authentication Bypass Using an Alternate Path or Channel (CVE-2017-9946)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in all versions
<V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication
and download sensitive information from the device.
- A vulnerability has been identified in Siemens APOGEE PXC and TALON TC BACnet Automation Controllers in
all versions <V3.5. An attacker with network access to the integrated web server (80/tcp and 443/tcp)
could bypass the authentication and download sensitive information from the device. (CVE-2017-9946)");
# https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-148078.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?39061797");
# http://packetstormsecurity.com/files/169544/Siemens-APOGEE-PXC-TALON-TC-Authentication-Bypass.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c345dfe");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-285-05");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens
recommends countermeasures for products where updates are not, or not yet available.
- APOGEE PXC Compact (BACnet): Update to v3.5 or later version
- APOGEE PXC Compact (P2 Ethernet): Disable the integrated webserver
- APOGEE PXC Modular (BACnet): Update to v3.5 or later version
- APOGEE PXC Modular (P2 Ethernet): Disable the integrated webserver
- TALON TC Compact (BACnet): Update to v3.5 or later version
- TALON TC Modular (BACnet): Update to v3.5 or later version
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:
- Siemens recommends disabling the integrated webserver when not in use
- Please contact a Siemens office for additional support
As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices in order to run the devices in a
protected IT environment.
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-148078");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9946");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(287);
script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/23");
script_set_attribute(attribute:"patch_publication_date", value:"2017/10/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_bacnet_automation_controller_firmware");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:apogee_pxc_firmware" :
{"versionEndExcluding" : "3.5", "family" : "Apogee"},
"cpe:/o:siemens:apogee_pxc_modular_firmware" :
{"versionEndExcluding" : "3.5", "family" : "PxcModular"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
83.6%