#VU26962 Business Logic Errors in Siemens products - CVE-2019-13939
Published: April 15, 2020
Vulnerability identifier: #VU26962
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-13939
CWE-ID: CWE-840
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
APOGEE MEC
APOGEE MBC
APOGEE PXC
APOGEE PCX
Desigo PXC
Desigo PXM20
SIMOTICS CONNECT 400
TALON TC Series
APOGEE MEC
APOGEE MBC
APOGEE PXC
APOGEE PCX
Desigo PXC
Desigo PXM20
SIMOTICS CONNECT 400
TALON TC Series
Software vendor:
Siemens
Siemens
Description
The vulnerability allows a remote attacker to change the IP address of the device to an invalid value.
The vulnerability exists due to logical errors. A remote attacker on the local network can make device configuration changes and affect its availability.
This vulnerability affects the following products and versions:- APOGEE MEC/MBC/PXC (P2): All versions prior to 2.8.2
- APOGEE PXC Series (BACnet): All versions, 3.0 and newer
- APOGEE PCX Series (P2): All versions, 2.8.2 and newer
- Desigo PXC (Power PC): All versions, 2.3x and newer
- Desigo PXM20 (Power PC): All versions, 2.3x and newer
- SIMOTICS CONNECT 400: All versions prior to 0.3.0.330
- TALON TC Series (BACnet): All versions, 3.0 and newer
Remediation
Install updates from vendor's website.