DHCP Manipulation Vulnerability in Siemens APOGEE and Desigo Systems
CVE-2019-13939

7.1HIGH

Key Information:

Vendor
Siemens
Status
Capital Embedded Ar Classic 431-422
Capital Embedded Ar Classic R20-11
Nucleus Net
Nucleus Readystart V3
Vendor
CVE Published:
16 January 2020

Summary

A vulnerability exists in Siemens' APOGEE and Desigo systems that allows an attacker to exploit inadequate DHCP packet handling. By sending specially crafted DHCP packets to devices with DHCP clients enabled, an unauthorized individual can change the IP addresses of the affected devices to invalid values. This could compromise both the availability and integrity of the impacted systems. Notably, the attack requires adjacent network access but does not necessitate any authentication or user interaction, making it particularly concerning for network security.

Affected Version(s)

Capital Embedded AR Classic 431-422 0

Capital Embedded AR Classic R20-11 0

Nucleus NET All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-43403...
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-16250...
x_refsource_CONFIRM
https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06
x_refsource_MISC

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.