Full Report
Apogee PXC and Talon TC contain a vulnerability that could allow an attacker to perform a denial of service using a out-of-bounds read forcing the device to enter a cold state and a vulnerability that would allow an attacker to decrypt the passwords of the device. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Siemens Apogee PXC and Talon TC
## CVE Details
- **CVE ID:** CVE-2024-54089
- **CVSS Score:** 7.5 (High) / 8.7 (High - CVSS v4.0)
- **CWE:** CWE-326: Inadequate Encryption Strength
- **CVE ID:** CVE-2024-54090
- **CVSS Score:** 5.9 (Medium) / 6.0 (Medium - CVSS v4.0)
- **CWE:** CWE-125: Out-of-bounds Read
## Affected Systems
- **Products:**
- APOGEE PXC Series (BACnet)
- APOGEE PXC Series (P2 Ethernet)
- TALON TC Series (BACnet)
- **Versions:** All versions are currently affected.
- **Configurations:** Devices using default passwords or those with the Telnet service enabled are at higher risk.
## Vulnerability Description
The affected building automation controllers suffer from two distinct security flaws:
1. **Weak Encryption (CVE-2024-54089):** The devices utilize a weak encryption mechanism that relies on a hard-coded key. This allows an attacker to potentially decrypt passwords from ciphertext or successfully guess them, bypassing local authentication protections.
2. **Out-of-Bounds Read (CVE-2024-54090):** The memory dump function contains an out-of-bounds read vulnerability. An attacker can trigger this flaw to cause a Denial of Service (DoS), forcing the controller into an "insecure cold start" state.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; no public PoC listed in advisory.
- **Complexity:**
- CVE-2024-54089: Low
- CVE-2024-54090: High (Requires specific conditions and Medium or higher privileges).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Credential decryption possible via CVE-2024-54089).
- **Integrity:** None.
- **Availability:** High (Device cold start and DoS via CVE-2024-54090).
## Remediation
### Patches
There are currently **no patches available** from Siemens for these vulnerabilities.
### Workarounds
Siemens recommends the following immediate mitigations:
- **Credential Management:** Change all three default passwords immediately, even if the accounts are not actively used.
- **Strong Passwords:** Implement strong, complex passwords that are difficult to guess (mitigates CVE-2024-54089).
- **Service Hardening:** Disable the **Telnet** service (Note: It is disabled by default, but should be verified).
- **Network Segmentation:** Protect network access to the devices and ensure they are operated in a protected IT/OT environment following Industrial Security guidelines.
## Detection
- **Indicators of Compromise:** Unexpected device reboots or "cold start" log entries may indicate exploitation attempts of CVE-2024-54090.
- **Detection methods:** Monitor network traffic for unauthorized Telnet connection attempts or unusual requests to the device memory dump functions.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-615116[.]html
- **Siemens Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Industrial Security Information:** hxxps://www[.]siemens[.]com/industrialsecurity