Denial of Service in APOGEE and Nucleus Products by Siemens
CVE-2020-27737

6.5MEDIUM

Key Information:

Vendor
Siemens
Status
Apogee Pxc Compact (bacnet)
Apogee Pxc Compact (p2 Ethernet)
Apogee Pxc Modular (bacnet)
Apogee Pxc Modular (p2 Ethernet)
Vendor
CVE Published:
22 April 2021

Summary

A vulnerability has been discovered in various Siemens APOGEE and Nucleus products due to improper validation in DNS response parsing. This issue affects multiple versions and could allow an attacker with network privileges to exploit malformed DNS responses, resulting in a denial-of-service condition or potential memory leaks. It's critical to update to the latest versions to mitigate the risk of such exploits.

Affected Version(s)

APOGEE PXC Compact (BACnet) All versions < V3.5.5

APOGEE PXC Compact (P2 Ethernet) All versions < V2.8.20

APOGEE PXC Modular (BACnet) All versions < V3.5.5

References

https://cert-portal.siemens.com/productcert/pdf/ssa-70511...
https://cert-portal.siemens.com/productcert/pdf/ssa-66915...
https://cert-portal.siemens.com/productcert/pdf/ssa-18057...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.