Full Report
SIMOTICS CONNECT 400, Desigo (Power PC-based), APOGEE MEC/MBC/PXC and TALON TC products are affected by a DHCP Client vulnerability as initially reported in SSA-434032 for the Mentor Nucleus Networking Module. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: DHCP Client Vulnerability in Siemens SIMOTICS and Building Automation Products
## CVE Details
- **CVE ID:** CVE-2019-13939
- **CVSS Score:** 7.1 (High)
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:**
- APOGEE MEC/MBC/PXC (P2 and BACnet series)
- Desigo PXC/PXM (Power PC-based: PXC00-E.D, PXC100-E.D, PXC12-E.D, PXC200-E.D, PXC22-E.D, PXC36.1-E.D, PXC50-E.D, PXM20-E)
- SIMOTICS CONNECT 400
- TALON TC Modular and Compact (BACnet)
- **Versions:**
- APOGEE PXC Series (P2): < V6.0.327
- SIMOTICS CONNECT 400: < V0.3.0.330
- TALON TC Series (BACnet): < V3.5.3
- Desigo PXC/PXM: Specific older versions (see remediation for update status)
- **Configurations:** The vulnerability only affects devices where the **DHCP Client is enabled**. Note: DHCP is disabled by default on APOGEE, Desigo, and TALON products.
## Vulnerability Description
This flaw originates from the Mentor Nucleus Networking Module. It involves improper validation of input during the processing of DHCP packets. An attacker can send specially crafted DHCP packets to a device, allowing them to change the device's IP address to an invalid value.
## Exploitation
- **Status:** PoC available (referenced via the underlying Mentor Nucleus research in SSA-434032).
- **Complexity:** Low
- **Attack Vector:** Adjacent (requires the attacker to be on the same local network/Layer 2 domain to deliver DHCP packets).
## Impact
- **Confidentiality:** None
- **Integrity:** Low (Unauthorized modification of device network configuration)
- **Availability:** High (The device may become unreachable on the network if the IP is set to an invalid value, leading to a Denial of Service).
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **APOGEE PXC Series (P2):** Update to V6.0.327.
- **SIMOTICS CONNECT 400:** Update to V0.3.0.330.
- **TALON TC (BACnet):** Update to V3.5.3.
- **Desigo PXC/PXM:** Refer to the Siemens partner portal for specific firmware updates associated with the article numbers listed in the advisory.
### Workarounds
- **Disable DHCP:** Manually disable the DHCP client and utilize static IP address configurations.
- **Network Isolation:** Ensure devices are operated within a protected IT/OT environment following Siemens' operational guidelines.
## Detection
- **Indicators of Compromise:** Unexpected loss of connectivity to the device; device appearing with an incorrect or "invalid" IP address (e.g., 0.0.0.0 or outside the expected subnet) in network logs.
- **Detection methods:** Monitor for unauthorized or suspicious DHCP server activity on the local network segment.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-162506.pdf
- **Related Mentor Nucleus Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-434032.html
- **Siemens Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security