Vulnerability in APOGEE and TALON Systems Affects Network Operations
CVE-2020-15795

8.1HIGH

Key Information:

Vendor: Siemens
Status: Apogee Pxc Compact (bacnet); Apogee Pxc Compact (p2 Ethernet); Apogee Pxc Modular (bacnet); Apogee Pxc Modular (p2 Ethernet)
Vendor: CVE Published:; 22 April 2021

What is CVE-2020-15795?

A vulnerability exists in various Siemens APOGEE and TALON systems due to improper validation of DNS domain name label parsing. This flaw can lead to a write past the end of an allocated structure. An attacker with a privileged network position may exploit this vulnerability to execute arbitrary code within the context of the affected process, potentially leading to unauthorized access or even a denial-of-service condition. It is crucial for organizations using these systems to promptly assess their current versions and apply necessary updates to mitigate risks associated with this vulnerability.

Affected Version(s)

APOGEE PXC Compact (BACnet) All versions < V3.5.5

APOGEE PXC Compact (P2 Ethernet) All versions < V2.8.20

APOGEE PXC Modular (BACnet) All versions < V3.5.5

References

https://cert-portal.siemens.com/productcert/pdf/ssa-18569...

https://cert-portal.siemens.com/productcert/pdf/ssa-18057...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2021
Vulnerability Reserved
Jul 15, 2020