Vulnerability in APOGEE and TALON Systems Affects Network Operations
CVE-2020-15795

8.1HIGH

Key Information:

Vendor
Siemens
Status
Apogee Pxc Compact (bacnet)
Apogee Pxc Compact (p2 Ethernet)
Apogee Pxc Modular (bacnet)
Apogee Pxc Modular (p2 Ethernet)
Vendor
CVE Published:
22 April 2021

Summary

A vulnerability exists in various Siemens APOGEE and TALON systems due to improper validation of DNS domain name label parsing. This flaw can lead to a write past the end of an allocated structure. An attacker with a privileged network position may exploit this vulnerability to execute arbitrary code within the context of the affected process, potentially leading to unauthorized access or even a denial-of-service condition. It is crucial for organizations using these systems to promptly assess their current versions and apply necessary updates to mitigate risks associated with this vulnerability.

Affected Version(s)

APOGEE PXC Compact (BACnet) All versions < V3.5.5

APOGEE PXC Compact (P2 Ethernet) All versions < V2.8.20

APOGEE PXC Modular (BACnet) All versions < V3.5.5

References

https://cert-portal.siemens.com/productcert/pdf/ssa-18569...
https://cert-portal.siemens.com/productcert/pdf/ssa-18057...

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.