Business Logic Errors in Siemens products - CVE-2019-13939
Published: April 15, 2020
Vulnerability identifier: #VU26962
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-13939
CWE-ID: CWE-840
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Siemens
Affected software:
APOGEE MEC
APOGEE MBC
APOGEE PXC
APOGEE PCX
Desigo PXC
Desigo PXM20
SIMOTICS CONNECT 400
TALON TC Series
APOGEE MEC
APOGEE MBC
APOGEE PXC
APOGEE PCX
Desigo PXC
Desigo PXM20
SIMOTICS CONNECT 400
TALON TC Series
Detailed vulnerability description
The vulnerability allows a remote attacker to change the IP address of the device to an invalid value.
The vulnerability exists due to logical errors. A remote attacker on the local network can make device configuration changes and affect its availability.
This vulnerability affects the following products and versions:- APOGEE MEC/MBC/PXC (P2): All versions prior to 2.8.2
- APOGEE PXC Series (BACnet): All versions, 3.0 and newer
- APOGEE PCX Series (P2): All versions, 2.8.2 and newer
- Desigo PXC (Power PC): All versions, 2.3x and newer
- Desigo PXM20 (Power PC): All versions, 2.3x and newer
- SIMOTICS CONNECT 400: All versions prior to 0.3.0.330
- TALON TC Series (BACnet): All versions, 3.0 and newer
How to mitigate CVE-2019-13939
Install updates from vendor's website.