End Update B Part 3 of 3 -Īs a general security measure Siemens strongly recommends users protect network access to affected products with appropriate mechanisms. APOGEE PXC Series, TALON TC Series, and Desigo products: If using static IP address is not possible, please contact a Siemens support office for support.MEC, MBC, PXC (versions prior to v2.8.2): Use static IP address configuration as described above.Disable the DHCP client and use static IP address configuration instead (Note that the DHCP client is disabled by default on APOGEE/TALON and Desigo products).Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: SIMOTICS CONNECT 400: Update to v0.3.0.330.
Siemens recommends users update to the latest version of their software where applicable. Siemens reported this vulnerability to CISA.
A CVSS v3 base score of 7.1 has been assigned the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H). This may allow an attacker to make device configuration changes and affect its availability.ĬVE-2019-13939 has been assigned to this vulnerability. The affected products could allow an attacker to change the IP address of the device to an invalid value.
SIMOTICS CONNECT 400: All versions prior to 0.3.0.330.APOGEE PCX Series (P2): All versions, 2.8.2 and newer.APOGEE PXC Series (BACnet): All versions, 3.0 and newer.APOGEE MEC/MBC/PXC (P2): All versions prior to 2.8.2.Siemens reports the vulnerability affects the following products and versions: Successful exploitation of this vulnerability could allow an attacker to affect the availability and integrity of the device. This updated advisory is a follow-up to the advisory update titled ICSA-20-105-06 Siemens SIMOTICS, Desigo, APOGEE, and TALON (Update A) that was published January 12, 2021, on the ICS webpage at 3. Equipment: SIMOTICS, Desigo, APOGEE, and TALON.ATTENTION: Exploitable from an adjacent network/low skill level to exploit.