This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2021-31889.NASLSiemens Nucleus RTOS-based APOGEE and TALON Products Integer Underflow (CVE-2021-31889)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
82.0%
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of- Service conditions. (FSMD-2021-0015)
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500544);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/04");
script_cve_id("CVE-2021-31889");
script_xref(name:"ICSA", value:"21-313-03");
script_xref(name:"ICSA", value:"21-315-07");
script_name(english:"Siemens Nucleus RTOS-based APOGEE and TALON Products Integer Underflow (CVE-2021-31889)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All
versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC
(PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All
versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE
PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular
(BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet)
(All versions < V2.8.19), Capital VSTAR (All versions with enabled
Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and <
V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016),
Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions
>= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and
< V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016),
Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo
PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D
(All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions
>= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and <
V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All
versions < V2017.02.4), Nucleus Source Code (All versions),
PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions
< V0.5.0.0), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON
TC Modular (BACnet) (All versions < V3.5.4). Malformed TCP packets
with a corrupted SACK option leads to Information Leaks and Denial-of-
Service conditions. (FSMD-2021-0015)
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-313-03");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-223353.pdf");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-315-07");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens recommends the following specific workarounds and mitigations users can apply to reduce the risk:
- Desigo products: update to v6.30.016 or later
- APOGEE PXC Compact (P2 Ethernet) and APOGEE PXC Modular (P2 Ethernet): update to v2.8.19 or later. Contact a Siemens
office for support.
- TALON TC Compact (BACnet), TALON TC Modular (BACnet), APOGEE PXC Compact (BACnet), and APOGEE PXC Modular (BACnet):
update to v3.5.4 or later. Contact a Siemens office for support.
- CVE-2021-31881, CVE-2021-31882, CVE-2021-31883, CVE-2021-31884: Disable the DHCP client and use static IP address
configuration instead (Note the DHCP client is disabled by default on APOGEE/TALON and Desigo products).
- CVE-2021-31885, CVE-2021-31886, CVE-2021-31887, CVE-2021-31888: Disable the FTP service (Note the FTP service is
disabled by default on Desigo products).
As a general security measure Siemens strongly recommends protecting network access to affected products with
appropriate mechanisms. It is advised to follow recommended security practices to run the devices in a protected IT
environment.
For more information see Siemens Security Advisory SSA-114589");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31889");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(191);
script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/09");
script_set_attribute(attribute:"patch_publication_date", value:"2021/11/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_building_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_modular_equiment_controller_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_compact_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:apogee_pxc_modular_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:apogee_modular_building_controller_firmware" :
{"family" : "PxcModular"},
"cpe:/o:siemens:apogee_modular_equiment_controller_firmware" :
{"family" : "PxcModular"},
"cpe:/o:siemens:apogee_pxc_compact_firmware" :
{"family" : "PxcCompact"},
"cpe:/o:siemens:apogee_pxc_modular_firmware" :
{"family" : "PxcModular"},
"cpe:/o:siemens:apogee_modular_building_controller_firmware" :
{"family" : "PxcModular"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31889
cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf
cert-portal.siemens.com/productcert/pdf/ssa-223353.pdf
cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf
cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf
www.cisa.gov/news-events/ics-advisories/icsa-21-313-03
www.cisa.gov/news-events/ics-advisories/icsa-21-315-07
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
82.0%