DHCP Manipulation Vulnerability in Siemens APOGEE and Desigo Systems
CVE-2019-13939

7.1HIGH

Key Information:

Vendor

Siemens
Status
Apogee Mec/mbc/pxc (p2)
Apogee Pxc Compact (bacnet)
Apogee Pxc Compact (p2 Ethernet)
Apogee Pxc Modular (bacnet)
Vendor
CVE Published:
16 January 2020

What is CVE-2019-13939?

A vulnerability exists in Siemens' APOGEE and Desigo systems that allows an attacker to exploit inadequate DHCP packet handling. By sending specially crafted DHCP packets to devices with DHCP clients enabled, an unauthorized individual can change the IP addresses of the affected devices to invalid values. This could compromise both the availability and integrity of the impacted systems. Notably, the attack requires adjacent network access but does not necessitate any authentication or user interaction, making it particularly concerning for network security.

Affected Version(s)

APOGEE MEC/MBC/PXC (P2) All versions < V2.8.2

APOGEE PXC Compact (BACnet) 0

APOGEE PXC Compact (P2 Ethernet) V2.8.2

References

https://cert-portal.siemens.com/productcert/pdf/ssa-43403...
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-16250...
x_refsource_CONFIRM
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.