Detections
Analytics

Siemens Mentor Nucleus Networking Module Improper Input Validation (CVE-2019-13939)

high Tenable OT Security Plugin ID 500407

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All versions < V2.8.2), APOGEE PXC Series (BACnet) (All versions < V3.5.3), APOGEE PXC Series (P2) (All versions >= V2.8.2 and < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC00-U (All versions >= V2.3x and < V6.00.327), Desigo PXC001-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC100-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC12-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC128-U (All versions >= V2.3x and < V6.00.327), Desigo PXC200-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC22-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC22.1-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC36.1-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC50-E.D (All versions >= V2.3x and < V6.00.327), Desigo PXC64-U (All versions >= V2.3x and < V6.00.327), Desigo PXM20-E (All versions >= V2.3x and < V6.00.327), Nucleus NET (All versions), Nucleus RTOS (All versions), Nucleus ReadyStart for ARM, MIPS, and PPC (All versions < V2017.02.2 with patch Nucleus 2017.02.02 Nucleus NET Patch), Nucleus SafetyCert (All versions), Nucleus Source Code (All versions), SIMOTICS CONNECT 400 (All versions < V0.3.0.330), TALON TC Series (BACnet) (All versions < V3.5.3), VSTAR (All versions). By sending specially crafted DHCP packets to a device where the DHCP client is enabled, an attacker could change the IP address of the device to an invalid value. The vulnerability could affect availability and integrity of the device.
Adjacent network access is required, but no authentication and no user interaction is needed to conduct an attack.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends installing the following software updates to address this vulnerability.

Nucleus NET:

- Avoid using DHCP Client of Nucleus NET or upgrade Nucleus ReadyStart and apply the corresponding patch.

Nucleus RTOS:

- Avoid using DHCP Client of Nucleus NET, or upgrade Nucleus ReadyStart and apply the corresponding patch.

Nucleus ReadyStart for ARM, MIPS, and PPC:

- Upgrade to v2017.02.2 and install the patch “Nucleus 2017.02.02 Nucleus NET Patch.” Updated firmware versions can be obtained from Mentor supportcenter at (login required):

https://support.mentor.com/en/product/1009925838/downloads

Nucleus SafetyCert:

- Nucleus SafetyCert is not affected since it leverages the LWNET stack, which is not affected. The Nucleus SafetyCert bundle, however, does include a copy of Nucleus ReadyStart to allow easier prototyping, which is affected.

Nucleus Source Code:

- Avoid using DHCP Client of Nucleus NET.

VSTAR:

- Contact customer support to receive patch and update instructions.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ Operational Guidelines for Industrial Security and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens security advisory SSA-434032 at the following location:

http://www.siemens.com/cert/advisories

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf

https://cert-portal.siemens.com/productcert/pdf/ssa-162506.pdf

https://us-cert.cisa.gov/ics/advisories/icsa-20-105-06

https://www.cisa.gov/news-events/ics-advisories/icsa-19-318-01

Plugin Details

Severity: High

ID: 500407

Version: 1.9

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 3.5

Vector: CVSS2#AV:A/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2019-13939

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:apogee_modular_equiment_controller_firmware, cpe:/o:siemens:desigo_pxc_firmware, cpe:/o:siemens:apogee_pxc_firmware, cpe:/o:siemens:desigo_pxm20_firmware, cpe:/o:siemens:apogee_modular_building_controller_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 1/16/2020

Vulnerability Publication Date: 1/16/2020

Reference Information

CVE: CVE-2019-13939

ICSA: 19-318-01, 20-105-06