Improper access control in Siemens APOGEE/TALON Field Panels



Published: 2022-12-15
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-45937
CWE-ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		APOGEE PXC Series (BACnet)
Hardware solutions / Other hardware appliances

APOGEE PXC Series (P2 Ethernet)
Hardware solutions / Other hardware appliances

TALON TC Series (BACnet)
Hardware solutions / Other hardware appliances

Vendor

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Improper access control

EUVDB-ID: #VU70377

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-45937

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can download sensitive information from the device containing user account credentials and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

APOGEE PXC Series (BACnet): before 3.5.5

APOGEE PXC Series (P2 Ethernet): before 2.8.20

TALON TC Series (BACnet): before 3.5.5

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-180579.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###