Full Report
Several products used in Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems contain buffer overflow vulnerabilities in the network communication stack. Successful exploitation of the vulnerabilities could allow an unauthenticated attacker, who gained access to the fire protection system network, to execute arbitrary code on the affected products (CVE-2024-22039) or create a denial of service condition (CVE-2024-22040, CVE-2024-22041). Product-specific impact of the individual vulnerabilities is documented in the chapter “Vulnerability Description”. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Buffer Overflows in Fire Protection System Network Stacks (Multiple CVEs)
## CVE Details
| CVE ID | Description | CVSS v3.1 Score (Severity) | CVSS v4.0 Score | CWE |
| :--- | :--- | :--- | :--- | :--- |
| CVE-2024-22039 | Arbitrary Code Execution (ACE) possible. | *(Implied High/Critical based on ACE)* | *(Not explicitly listed, but ACE is severe)* | Buffer Overflow (Implied) |
| CVE-2024-22040 | Denial of Service (DoS) condition possible. | 7.5 (High) | 8.7 | Buffer Overflow (Implied) |
| CVE-2024-22041 | Denial of Service (DoS) condition possible (Improper handling of X.509 certificates). | 7.5 (High) | 8.7 | CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) |
*Note: The advisory notes a base CVSS v3.1 score of 10.0 and CVSS v4.0 score of 10.0 universally, conflicting with the product-specific scores listed later for CVE-2024-22041. We list the specific operational scores where available.*
## Affected Systems
- **Products:**
- Cerberus PRO UL Compact Panel FC922/924
- Cerberus PRO UL Engineering Tool
- Cerberus PRO UL X300 Cloud Distribution
- Desigo Fire Safety UL Compact Panel FC2025/2050
- Desigo Fire Safety UL Engineering Tool
- Desigo Fire Safety UL X300 Cloud Distribution
- **Versions:**
- Cerberus PRO UL Compact Panel FC922/924 & Desigo Fire Safety UL Compact Panel FC2025/2050: All versions < MP4
- Cerberus PRO UL Engineering Tool & Desigo Fire Safety UL Engineering Tool: All versions < MP4
- Cerberus PRO UL X300 Cloud Distribution & Desigo Fire Safety UL X300 Cloud Distribution: All versions < V4.3.0001
- **Configurations:** Requires an attacker to have access to the fire protection system network.
## Vulnerability Description
The vulnerabilities reside in the network communication stack across several affected products used in Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems. These flaws are **buffer overflows**.
Specifically for **CVE-2024-22041**, the network communication library improperly handles memory buffers when parsing X.509 certificates, which can lead to a crash.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild, but details on PoC/exploitation feasibility are implied by the existence of fixes.
- **Complexity (General):** Requires network access to the fire protection system network.
- **Complexity (CVE-2024-22041 Specifics):**
- For Engineering Tools (Cerberus PRO/Desigo), exploitation requires an **on-path attacker** intercepting network communication (AC:H, AT:P).
- For other impacts (like ACE in CVE-2024-22039), the vector is Network (AV:N) and requires no user interaction (UI:N for ACE).
- **Attack Vector:** Network (AV:N)
## Impact
| Impact Type | Level (Based on CVE-2024-22039 & generic findings) |
| :--- | :--- |
| **Confidentiality** | Potential impact (Implied by Arbitrary Code Execution) |
| **Integrity** | Potential impact (Implied by Arbitrary Code Execution) |
| **Availability** | High (DoS possible via CVE-2024-22040, CVE-2024-22041) |
## Remediation
### Patches
Siemens strongly recommends updating to the latest versions provided:
- **Cerberus PRO UL/Desigo Fire Safety UL Compact Panels:** Update to **MP4 or later**.
- **Cerberus PRO UL/Desigo Fire Safety UL X300 Cloud Distribution:** Update to **V4.3.0001 or later**.
- **Cerberus PRO UL/Desigo Fire Safety UL Engineering Tool:** Update to **MP4 or later**.
### Workarounds
- Product-specific remediations/mitigations can be found in the vendor advisory.
- Follow **General Security Recommendations**, which advise protecting network access to affected products with appropriate mechanisms and running devices in a protected IT environment.
## Detection
The specific advisory does not detail IOCs, but general detection should focus on:
- **Network Monitoring:** Look for unexpected or malformed network packets targeting the fire protection system components across the network segment.
- **System Logs:** Monitoring for application crashes or unexpected restarts on the affected control panels or engineering workstations.
## References
- Siemens Security Advisory SSA-953710 (Publication Date: 2024-05-14)
- Siemens Security Advisory URL: hxxps://www.siemens.com/cert/advisories
- Siemens Global Website Terms of Use URL: hxxps://www.siemens.com/terms\_of\_use