Full Report
A denial of service vulnerability has been identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-313313: https://cert-portal.siemens.com/productcert/html/ssa-313313.html. The products listed below use affected versions of the Nucleus software and inherently contain the vulnerability. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Nucleus RTOS FTP Server (APOGEE, TALON, and Desigo)
## CVE Details
- **CVE ID:** CVE-2022-38371
- **CVSS Score:** 7.5 (High) - CVSS v3.1 / 8.7 (High) - CVSS v4.0
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- APOGEE MBC/MEC (PPC) (BACnet & P2 Ethernet)
- APOGEE PXC Compact & Modular (BACnet & P2 Ethernet)
- Desigo PXC Series (PXC00-E.D, PXC00/64/128-U, PXC24.1-E.D, PXC36.1-E.D, PXC50-E.D)
- Desigo PXM Series (PXM20-E)
- TALON TC Compact & Modular (BACnet)
- **Versions:**
- APOGEE PXC Compact (BACnet): All versions < V6.30.37
- APOGEE PXC Modular (BACnet): All versions < V6.30.37
- TALON TC (Compact/Modular): All versions < V3.5.7
- Desigo PXC/PXM: Specific versions (refer to advisory for full firmware list)
- APOGEE MBC/MEC: All versions (No fix planned)
- **Configurations:** Systems where the FTP service is enabled (Note: it is disabled by default on these product lines).
## Vulnerability Description
The vulnerability exists within the FTP server component of the Nucleus RTOS. The software fails to properly release memory resources reserved for incomplete connection attempts. A remote attacker can exploit this by initiating multiple incomplete FTP connections, leading to memory exhaustion and a Denial of Service (DoS) condition on the affected device.
## Exploitation
- **Status:** PoC available (referenced via Nucleus RTOS advisory SSA-313313)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The device may become unresponsive or crash)
## Remediation
### Patches
- **APOGEE PXC (BACnet/P2):** Update to V6.30.37 or later.
- **TALON TC (BACnet):** Update to V3.5.7 or later.
- **Desigo PXC/PXM:** Update to latest versions as specified in the Siemens Siemens Support portal.
- **APOGEE MBC/MEC:** No fix planned; apply workarounds.
### Workarounds
- **Disable FTP Service:** This is the primary mitigation. The FTP service is disabled by default; ensure it has not been manually enabled.
- **Network Segmentation:** Protect network access to affected products with firewalls and VLANs to ensure they run in a protected IT environment.
- **General Security:** Follow Siemens' general security recommendations for ICS/Building Automation components.
## Detection
- **Indicators of Compromise:** High memory utilization alerts, repeated failed or "half-open" FTP connection logs, and unexplained device reboots or service unresponsiveness.
- **Detection methods and tools:** Network monitoring for anomalous volumes of incomplete TCP/21 (FTP) handshakes.
## References
- **Vendor Advisories:**
- hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-935500[.]html
- hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-313313[.]html
- **Product Support:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109987277/