Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-31345 (GCVE-0-2021-31345)
Vulnerability from cvelistv5 – Published: 2021-11-09 11:31 – Updated: 2025-03-11 09:47
VLAI
EPSS
Summary
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)
Severity
7.5 (High)
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
8 references
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Siemens | Capital Embedded AR Classic 431-422 |
Affected:
0 , < *
(custom)
|
|
| Siemens | Capital Embedded AR Classic R20-11 |
Affected:
0 , < V2303
(custom)
|
|
| Siemens | PLUSCONTROL 1st Gen |
Affected:
All versions
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:55:53.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Capital Embedded AR Classic 431-422",
"vendor": "Siemens",
"versions": [
{
"lessThan": "*",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "Capital Embedded AR Classic R20-11",
"vendor": "Siemens",
"versions": [
{
"lessThan": "V2303",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unknown",
"product": "PLUSCONTROL 1st Gen",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284: Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T09:47:37.991Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-114589.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-044112.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-620288.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/html/ssa-845392.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2021-31345",
"datePublished": "2021-11-09T11:31:52.000Z",
"dateReserved": "2021-04-15T00:00:00.000Z",
"dateUpdated": "2025-03-11T09:47:37.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-31345",
"date": "2026-06-04",
"epss": "0.01246",
"percentile": "0.7963"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:capital_vstar:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3EC45D63-0FB7-4995-AF45-B41F6EF6A9E2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7A987CFB-4A41-4F82-8C7F-31DE8F0650DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:nucleus_readystart_v3:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2014.12\", \"matchCriteriaId\": \"66972BA5-41C9-448A-9B6A-471630BF7907\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:siemens:nucleus_source_code:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07DAF9C3-B56A-4F40-B90B-D0DE96869A44\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"60FAD4D8-54FA-4721-954E-4AD77020B189\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B5F978E7-3DD9-4948-BFFB-E7273003477B\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ACCB699F-4F10-47BD-8890-047380972BE1\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7945BF7D-AB3A-4285-9C58-D56149ADFC15\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:apogee_pxc_compact_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"105A6FFB-1176-4021-868D-3D6CE77113B2\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:apogee_pxc_compact:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8E2E8B0F-EBBC-4BCC-BE2A-20DCB506DF7F\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:apogee_pxc_modular_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C6BE40AF-B7A4-498A-943E-11AA9393A3D6\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:apogee_pxc_modular:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D9485F0B-03E0-4442-B615-2DA91AE1CD00\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:talon_tc_compact_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0CA14719-C655-4BED-AE8D-B9C983847AE4\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:talon_tc_compact:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"46D32EF0-8AEC-4594-8928-45F34DC60600\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:talon_tc_modular_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1F3470FD-BEBE-465F-A189-F4CEDD0F6815\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:talon_tc_modular:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"00C647D8-1725-42FA-8042-6C413EE67573\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"60FAD4D8-54FA-4721-954E-4AD77020B189\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B5F978E7-3DD9-4948-BFFB-E7273003477B\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)\"}, {\"lang\": \"es\", \"value\": \"Se ha identificado una vulnerabilidad en APOGEE MBC (PPC) (BACnet) (Todas las versiones), APOGEE MBC (PPC) (P2 Ethernet) (Todas las versiones), APOGEE MEC (PPC) (BACnet) (Todas las versiones), APOGEE MEC (PPC) (P2 Ethernet) (Todas las versiones), APOGEE PXC Compact (BACnet) (Todas las versiones anteriores a V3. 5.4), APOGEE PXC Compact (P2 Ethernet) (Todas las versiones anteriores a V2.8.19), APOGEE PXC Modular (BACnet) (Todas las versiones anteriores a V3. 5.4), APOGEE PXC Modular (P2 Ethernet) (Todas las versiones anteriores a V2.8.19), Capital VSTAR (Todas las versiones con opciones de Ethernet habilitadas), Desigo PXC00-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30. 016), Desigo PXC00-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC001-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC100-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC12-E. D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC128-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC200-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC22-E.D (Todas las versiones posteriores o iguales V2. 3 y anteriores a V6.30.016), Desigo PXC22.1-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC36.1-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC50-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6. 30.016), Desigo PXC64-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXM20-E (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Nucleus NET (Todas las versiones), Nucleus ReadyStart V3 (Todas las versiones anteriores a V2017. 02.4), Nucleus Source Code (Todas las versiones), PLUSCONTROL 1st Gen (Todas las versiones), TALON TC Compact (BACnet) (Todas las versiones anteriores a V3.5.4), TALON TC Modular (BACnet) (Todas las versiones anteriores a V3.5.4). La longitud total de una carga \\u00fatil UDP (establecida en la cabecera IP) no est\\u00e1 comprobada. Esto puede conducir a varios efectos secundarios, incluyendo la fuga de informaci\\u00f3n y las condiciones de denegaci\\u00f3n de servicio, dependiendo de las aplicaciones definidas por el usuario que se ejecutan en la parte superior del protocolo UDP. (FSMD-2021-0006)\"}]",
"id": "CVE-2021-31345",
"lastModified": "2024-11-21T06:05:27.797",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"productcert@siemens.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-11-09T12:15:09.143",
"references": "[{\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-044112.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-114589.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-620288.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/html/ssa-845392.html\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf\", \"source\": \"productcert@siemens.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf\", \"source\": \"productcert@siemens.com\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"productcert@siemens.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1284\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-31345\",\"sourceIdentifier\":\"productcert@siemens.com\",\"published\":\"2021-11-09T12:15:09.143\",\"lastModified\":\"2024-11-21T06:05:27.797\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)\"},{\"lang\":\"es\",\"value\":\"Se ha identificado una vulnerabilidad en APOGEE MBC (PPC) (BACnet) (Todas las versiones), APOGEE MBC (PPC) (P2 Ethernet) (Todas las versiones), APOGEE MEC (PPC) (BACnet) (Todas las versiones), APOGEE MEC (PPC) (P2 Ethernet) (Todas las versiones), APOGEE PXC Compact (BACnet) (Todas las versiones anteriores a V3. 5.4), APOGEE PXC Compact (P2 Ethernet) (Todas las versiones anteriores a V2.8.19), APOGEE PXC Modular (BACnet) (Todas las versiones anteriores a V3. 5.4), APOGEE PXC Modular (P2 Ethernet) (Todas las versiones anteriores a V2.8.19), Capital VSTAR (Todas las versiones con opciones de Ethernet habilitadas), Desigo PXC00-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30. 016), Desigo PXC00-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC001-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC100-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC12-E. D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC128-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC200-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC22-E.D (Todas las versiones posteriores o iguales V2. 3 y anteriores a V6.30.016), Desigo PXC22.1-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC36.1-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXC50-E.D (Todas las versiones posteriores o iguales V2.3 y anteriores a V6. 30.016), Desigo PXC64-U (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Desigo PXM20-E (Todas las versiones posteriores o iguales V2.3 y anteriores a V6.30.016), Nucleus NET (Todas las versiones), Nucleus ReadyStart V3 (Todas las versiones anteriores a V2017. 02.4), Nucleus Source Code (Todas las versiones), PLUSCONTROL 1st Gen (Todas las versiones), TALON TC Compact (BACnet) (Todas las versiones anteriores a V3.5.4), TALON TC Modular (BACnet) (Todas las versiones anteriores a V3.5.4). La longitud total de una carga \u00fatil UDP (establecida en la cabecera IP) no est\u00e1 comprobada. Esto puede conducir a varios efectos secundarios, incluyendo la fuga de informaci\u00f3n y las condiciones de denegaci\u00f3n de servicio, dependiendo de las aplicaciones definidas por el usuario que se ejecutan en la parte superior del protocolo UDP. (FSMD-2021-0006)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"productcert@siemens.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:capital_vstar:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3EC45D63-0FB7-4995-AF45-B41F6EF6A9E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A987CFB-4A41-4F82-8C7F-31DE8F0650DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:nucleus_readystart_v3:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2014.12\",\"matchCriteriaId\":\"66972BA5-41C9-448A-9B6A-471630BF7907\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:siemens:nucleus_source_code:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07DAF9C3-B56A-4F40-B90B-D0DE96869A44\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60FAD4D8-54FA-4721-954E-4AD77020B189\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5F978E7-3DD9-4948-BFFB-E7273003477B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACCB699F-4F10-47BD-8890-047380972BE1\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7945BF7D-AB3A-4285-9C58-D56149ADFC15\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:apogee_pxc_compact_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"105A6FFB-1176-4021-868D-3D6CE77113B2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:apogee_pxc_compact:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E2E8B0F-EBBC-4BCC-BE2A-20DCB506DF7F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:apogee_pxc_modular_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6BE40AF-B7A4-498A-943E-11AA9393A3D6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:apogee_pxc_modular:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9485F0B-03E0-4442-B615-2DA91AE1CD00\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:talon_tc_compact_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CA14719-C655-4BED-AE8D-B9C983847AE4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:talon_tc_compact:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46D32EF0-8AEC-4594-8928-45F34DC60600\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:talon_tc_modular_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F3470FD-BEBE-465F-A189-F4CEDD0F6815\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:talon_tc_modular:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"00C647D8-1725-42FA-8042-6C413EE67573\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60FAD4D8-54FA-4721-954E-4AD77020B189\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B5F978E7-3DD9-4948-BFFB-E7273003477B\"}]}]}],\"references\":[{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-044112.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-114589.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-620288.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/html/ssa-845392.html\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf\",\"source\":\"productcert@siemens.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf\",\"source\":\"productcert@siemens.com\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
SSA-845392
Vulnerability from csaf_siemens - Published: 2022-01-11 00:00 - Updated: 2022-01-11 00:00Summary
SSA-845392: Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices
Notes
Summary: Multiple vulnerabilities (also known as "NUCLEUS:13") have been identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf.
PLUSCONTROL 1st Gen devices are affected by some of the vulnerabilities as documented below.
Siemens Energy recommends specific countermeasures for products where updates are not available.
General Recommendations: Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design.
Siemens Energy strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens Energy strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.
As a general security measure Siemens Energy strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.
Additional Resources: For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories
Terms of Use: Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.
CWE-843
- Access of Resource Using Incompatible Type ('Type Confusion')
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
CWE-1284
- Improper Validation of Specified Quantity in Input
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
CWE-1284
- Improper Validation of Specified Quantity in Input
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
CWE-805
- Buffer Access with Incorrect Length Value
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
CWE-191
- Integer Underflow (Wrap or Wraparound)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
CWE-240
- Improper Handling of Inconsistent Structural Elements
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
PLUSCONTROL 1st Gen
Siemens / PLUSCONTROL 1st Gen
|
vers:all/* |
No Fix Planned
Mitigation
|
References
9 references
{
"document": {
"category": "Siemens Security Advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited.",
"tlp": {
"label": "WHITE"
}
},
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities (also known as \"NUCLEUS:13\") have been identified in the Nucleus RTOS (real-time operating system) and reported in the Siemens Security Advisory SSA-044112: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf.\n\nPLUSCONTROL 1st Gen devices are affected by some of the vulnerabilities as documented below.\n\nSiemens Energy recommends specific countermeasures for products where updates are not available.",
"title": "Summary"
},
{
"category": "general",
"text": "Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid\u0027s reliability can thus be minimized by virtue of the grid design.\n\nSiemens Energy strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens Energy strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment.\n\nAs a general security measure Siemens Energy strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.",
"title": "General Recommendations"
},
{
"category": "general",
"text": "For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "Siemens Security Advisories are subject to the terms and conditions contained in Siemens\u0027 underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter \"License Terms\"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens\u0027 Global Website (https://www.siemens.com/terms_of_use, hereinafter \"Terms of Use\"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "productcert@siemens.com",
"name": "Siemens ProductCERT",
"namespace": "https://www.siemens.com"
},
"references": [
{
"category": "self",
"summary": "SSA-845392: Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices - PDF Version",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf"
},
{
"category": "self",
"summary": "SSA-845392: Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices - TXT Version",
"url": "https://cert-portal.siemens.com/productcert/txt/ssa-845392.txt"
},
{
"category": "self",
"summary": "SSA-845392: Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices - CSAF Version",
"url": "https://cert-portal.siemens.com/productcert/csaf/ssa-845392.json"
}
],
"title": "SSA-845392: Multiple Vulnerabilities in Nucleus RTOS based Siemens Energy PLUSCONTROL 1st Gen Devices",
"tracking": {
"current_release_date": "2022-01-11T00:00:00Z",
"generator": {
"engine": {
"name": "Siemens ProductCERT CSAF Generator",
"version": "1"
}
},
"id": "SSA-845392",
"initial_release_date": "2022-01-11T00:00:00Z",
"revision_history": [
{
"date": "2022-01-11T00:00:00Z",
"legacy_version": "1.0",
"number": "1",
"summary": "Publication Date"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:all/*",
"product": {
"name": "PLUSCONTROL 1st Gen",
"product_id": "1"
}
}
],
"category": "product_name",
"name": "PLUSCONTROL 1st Gen"
}
],
"category": "vendor",
"name": "Siemens"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-31344",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"notes": [
{
"category": "summary",
"text": "ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31344 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31344.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31344"
},
{
"cve": "CVE-2021-31345",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "summary",
"text": "The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31345 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31345.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31345"
},
{
"cve": "CVE-2021-31346",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "summary",
"text": "The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31346 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31346.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31346"
},
{
"cve": "CVE-2021-31885",
"cwe": {
"id": "CWE-805",
"name": "Buffer Access with Incorrect Length Value"
},
"notes": [
{
"category": "summary",
"text": "TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands. (FSMD-2021-0009)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31885 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31885.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31885"
},
{
"cve": "CVE-2021-31889",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "summary",
"text": "Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31889 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31889.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31889"
},
{
"cve": "CVE-2021-31890",
"cwe": {
"id": "CWE-240",
"name": "Improper Handling of Inconsistent Structural Elements"
},
"notes": [
{
"category": "summary",
"text": "The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"1"
]
},
"references": [
{
"summary": "CVE-2021-31890 Mitre 5.0 json",
"url": "https://cert-portal.siemens.com/productcert/mitre/CVE-2021-31890.json"
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "Currently no remediation is planned",
"product_ids": [
"1"
]
},
{
"category": "mitigation",
"details": "PLUSCONTROL devices are typically located in a separate LAN segment of energy transmission solutions, where an attacker could use these vulnerabilities to disrupt SER messages or Trace functionalities. Therefore, review the status of the defense in depth recommendations that apply to your specific deployment and align as needed. Especially the measures on the network layer to prevent accessibility from other network segments.",
"product_ids": [
"1"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1"
]
}
],
"title": "CVE-2021-31890"
}
]
}
VAR-202111-1612
Vulnerability from variot - Updated: 2023-12-18 11:44A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202111-1612",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "apogee pxc modular",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "nucleus net",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "apogee modular building controller",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "capital vstar",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "talon tc compact",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "talon tc modular",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "nucleus readystart v3",
"scope": "lt",
"trust": 1.0,
"vendor": "siemens",
"version": "2014.12"
},
{
"model": "nucleus source code",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "apogee pxc compact",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
},
{
"model": "apogee modular equiment controller",
"scope": "eq",
"trust": 1.0,
"vendor": "siemens",
"version": "*"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:siemens:nucleus_source_code:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:nucleus_net:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:capital_vstar:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:siemens:nucleus_readystart_v3:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2014.12",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:apogee_modular_equiment_controller_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:apogee_modular_equiment_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:apogee_pxc_compact_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:apogee_pxc_compact:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:apogee_pxc_modular_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:apogee_pxc_modular:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:talon_tc_compact_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:talon_tc_compact:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:talon_tc_modular_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:talon_tc_modular:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:siemens:apogee_modular_building_controller_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:siemens:apogee_modular_building_controller:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens reported these vulnerabilities to CISA.",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
],
"trust": 0.6
},
"cve": "CVE-2021-31345",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-31345",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202111-853",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), PLUSCONTROL 1st Gen (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
}
],
"trust": 1.0
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "SIEMENS",
"id": "SSA-114589",
"trust": 1.6
},
{
"db": "SIEMENS",
"id": "SSA-044112",
"trust": 1.6
},
{
"db": "SIEMENS",
"id": "SSA-620288",
"trust": 1.6
},
{
"db": "SIEMENS",
"id": "SSA-845392",
"trust": 1.6
},
{
"db": "NVD",
"id": "CVE-2021-31345",
"trust": 1.6
},
{
"db": "ICS CERT",
"id": "ICSA-21-350-06",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-21-313-03",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-21-315-07",
"trust": 0.6
},
{
"db": "ICS CERT",
"id": "ICSA-22-013-03",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021121648",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022010910",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021111003",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022011803",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2022.0094",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3874",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4289",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3833",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202111-853",
"trust": 0.6
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"id": "VAR-202111-1612",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.56450218
},
"last_update_date": "2023-12-18T11:44:55.470000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Siemens Nucleus ReadyStart Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=178542"
}
],
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-1284",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf"
},
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf"
},
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-620288.pdf"
},
{
"trust": 1.6,
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-845392.pdf"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021111003"
},
{
"trust": 0.6,
"url": "https://source.android.com/security/bulletin/2022-01-01"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2022.0094"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3833"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-31345"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3874"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/google-android-pixel-multiple-vulnerabilities-of-january-2022-37172"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4289"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022011803"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-013-03"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021121648"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-315-07"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022010910"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-350-06"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-313-03"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-11-09T12:15:09.143000",
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"date": "2021-11-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-05-20T13:15:12.130000",
"db": "NVD",
"id": "CVE-2021-31345"
},
{
"date": "2022-05-23T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Siemens Nucleus Security hole",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202111-853"
}
],
"trust": 0.6
}
}
VDE-2021-050
Vulnerability from csaf_wagogmbhcokg - Published: 2021-11-16 11:02 - Updated: 2021-11-16 11:02Summary
WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.
Severity
Critical
Notes
Summary: Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.
For additional information please consult the official Siemens advisory:
• Advisory SSA-044112
Impact: The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.
WAGO devices are not affected by CVE-2021-31885.
Vulnerable to all vulnerabilities listed above:
750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx
Vulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:
750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx
Mitigation: 1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Remediation: For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004)
5.3 (Medium)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303). When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013)
7.5 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). The DHCP client application assumes that the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014)
9.8 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0010)
9.8 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016)
8.8 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.19), APOGEE PXC Modular (BACnet) (All versions < V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.19), Desigo PXC00-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC00-U (All versions >= V2.3 and < V6.30.016), Desigo PXC001-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC100-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC12-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC128-U (All versions >= V2.3 and < V6.30.016), Desigo PXC200-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC22.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC36.1-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC50-E.D (All versions >= V2.3 and < V6.30.016), Desigo PXC64-U (All versions >= V2.3 and < V6.30.016), Desigo PXM20-E (All versions >= V2.3 and < V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions < V3.5.4), TALON TC Modular (BACnet) (All versions < V3.5.4). FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018)
8.8 (High)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0). Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions < V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions < V0.5.0.0), SIMOTICS CONNECT 400 (All versions < V1.0.0.0). The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)
9.1 (Critical)
Mitigation
1. Use general security best practices to protect systems from local and network attacks.
2. Do not allow direct access to the device from untrusted networks.
3. Update to the latest firmware according to the table in chapter solutions.
4. Disable the DHCP, DNS and the FTP port 21.
5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].
For fieldbus coupler:
- 750-331
- 750-352/xxx-xxx
For PLCs:
- 750-829
- 750-831/xxx-xxx
- 750-852
- 750-880/xxx-xxx
- 750-881
- 750-889
The listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:
1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.
2. Ensure DHCP responses from non-authorized servers are blocked or discarded.
3. Monitor network traffic for anomalies and discard invalid packets.
4. Disable or block FTP, DHCP, DNS especially on critical network segments
5. Please check regularly https://certvde.com/de/ for an update of this Advisory.
Vendor Fix
For fieldbus coupler:
- 750-332
- 750-362/xxx-xxx
- 750-363/xxx-xxx
- 750-364/xxx-xxx
- 750-365/xxx-xxx
For PLCs:
- 750-823
- 750-832/xxx-xxx
- 750-862
- 750-890/xxx-xxx
- 750-891
- 750-893
We recommend all effected users to update to the firmware version listed below:
| Article Number | Fixed in Firmware Version | Availability |
|----------------------|----------------------------|---------------------------|
| 750-823 | >=FW10 | January 2022 |
| 750-832/000-00x | >=FW10 | After BACnet certification|
| 750-862 | >=FW10 | January 2022 |
| 750-890/xxx-xxx | >=FW10 | January 2022 |
| 750-891 | >=FW10 | January 2022 |
| 750-893 | >=FW10 | January 2022 |
| 750-332 | >=FW10 | After BACnet certification|
| 750-362/xxx-xxx | >=FW10 | January 2022 |
| 750-363/xxx-xxx | >=FW10 | January 2022 |
| 750-364/xxx-xxx | >=FW10 | January 2022 |
| 750-365/xxx-xxx | >=FW10 | January 2022 |
Affected products
Known affected
21 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: CSAFPID-31001 | — | ||
| Unresolved product id: CSAFPID-31002 | — | ||
| Unresolved product id: CSAFPID-31003 | — | ||
| Unresolved product id: CSAFPID-31004 | — | ||
| Unresolved product id: CSAFPID-31005 | — | ||
| Unresolved product id: CSAFPID-31006 | — | ||
| Unresolved product id: CSAFPID-31007 | — | ||
| Unresolved product id: CSAFPID-31008 | — | ||
| Unresolved product id: CSAFPID-31009 | — | ||
| Unresolved product id: CSAFPID-31010 | — | ||
| Unresolved product id: CSAFPID-31011 | — | ||
| Unresolved product id: CSAFPID-31012 | — | ||
| Unresolved product id: CSAFPID-31013 | — | ||
| Unresolved product id: CSAFPID-31014 | — | ||
| Unresolved product id: CSAFPID-31015 | — | ||
| Unresolved product id: CSAFPID-31016 | — | ||
| Unresolved product id: CSAFPID-31017 | — | ||
| Unresolved product id: CSAFPID-31018 | — | ||
| Unresolved product id: CSAFPID-31019 | — | ||
| Unresolved product id: CSAFPID-31020 | — | ||
| Unresolved product id: CSAFPID-31021 | — |
References
4 references
| URL | Category |
|---|---|
| https://certvde.com/en/advisories/VDE-2021-050/ | self |
| https://wago.csaf-tp.certvde.com/.well-known/csaf… | self |
| https://www.wago.com/psirt | external |
| https://certvde.com/en/advisories/vendor/wago/ | external |
Acknowledgments
CERT@VDE
certvde.com
Medigate
Yuval Halaban
Uriel Malin
Tal Zohar
Forescout Technologies
Daniel dos Santos
Amine Amri
Stanislav Dashevskyi
{
"document": {
"acknowledgments": [
{
"organization": "CERT@VDE",
"summary": "coordination",
"urls": [
"https://certvde.com"
]
},
{
"names": [
"Yuval Halaban",
"Uriel Malin",
"Tal Zohar"
],
"organization": "Medigate",
"summary": "reporting"
},
{
"names": [
"Daniel dos Santos",
"Amine Amri",
"Stanislav Dashevskyi"
],
"organization": "Forescout Technologies",
"summary": "reporting"
}
],
"aggregate_severity": {
"namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-GB",
"notes": [
{
"category": "summary",
"text": "Multiple vulnerabilities were reported in the Nucleus Real-Time Operating System (RTOS). The Nucleus RTOS is an essential component in several WAGO PLCs and fieldbus coupler. WAGO uses older Versions of the Nucleus RTOS also in legacy products.\nFor additional information please\u00a0consult the official Siemens advisory:\n\u2022 Advisory\u00a0SSA-044112",
"title": "Summary"
},
{
"category": "description",
"text": "The reported vulnerabilities allow an attacker who has access to the device and is able to exploit the vulnerabilities, to manipulate and disrupt the device. Please consult the CVE entries listed above for more details.\nWAGO devices are not affected by CVE-2021-31885.\nVulnerable to all vulnerabilities listed above:\n750-829, 750-831/000-00x, 750-852, 750-880/0xx-xxx, 750-881, 750-882, 750-885/0xx-xxx, 750-889, 750-331, 750-352/xxx-xxx\nVulnerable only to CVE-2021-31344, CVE-2021-31346, CVE-2021-31890:\n750-823, 750-832/000-00x, 750-862, 750-890/0xx-xxx, 750-891, 750-893, 750-332, 750-362/xxx-xxx, 750-363/xxx-xxx, 750-364/xxx-xxx, 750-365/xxx-xxx",
"title": "Impact"
},
{
"category": "description",
"text": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"title": "Mitigation"
},
{
"category": "description",
"text": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |",
"title": "Remediation"
}
],
"publisher": {
"category": "vendor",
"contact_details": "psirt@wago.com",
"name": "WAGO GmbH \u0026 Co. KG",
"namespace": "https://www.wago.com/psirt"
},
"references": [
{
"category": "self",
"summary": "VDE-2021-050: WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. - HTML",
"url": "https://certvde.com/en/advisories/VDE-2021-050/"
},
{
"category": "self",
"summary": "VDE-2021-050: WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack. - CSAF",
"url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2021/vde-2021-050.json"
},
{
"category": "external",
"summary": "WAGO PSIRT",
"url": "https://www.wago.com/psirt"
},
{
"category": "external",
"summary": "CERT@VDE Security Advisories for WAGO GmbH \u0026 Co. KG",
"url": "https://certvde.com/en/advisories/vendor/wago/"
}
],
"title": "WAGO: Multiple devices affected by Vulnerabilities in NUCLEUS TCP Stack.",
"tracking": {
"aliases": [
"VDE-2021-050"
],
"current_release_date": "2021-11-16T11:02:00.000Z",
"generator": {
"date": "2025-06-16T07:25:47.768Z",
"engine": {
"name": "Secvisogram",
"version": "2.5.27"
}
},
"id": "VDE-2021-050",
"initial_release_date": "2021-11-16T11:02:00.000Z",
"revision_history": [
{
"date": "2021-11-16T11:02:00.000Z",
"number": "1.0.0",
"summary": "Initial revision."
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "750-331",
"product": {
"name": "750-331",
"product_id": "CSAFPID-11001"
}
},
{
"category": "product_name",
"name": "750-332",
"product": {
"name": "750-332",
"product_id": "CSAFPID-11002"
}
},
{
"category": "product_name",
"name": "750-352/xxx-xxx",
"product": {
"name": "750-352/xxx-xxx",
"product_id": "CSAFPID-11003"
}
},
{
"category": "product_name",
"name": "750-362/xxx-xxx",
"product": {
"name": "750-362/xxx-xxx",
"product_id": "CSAFPID-11004"
}
},
{
"category": "product_name",
"name": "750-363/xxx-xxx",
"product": {
"name": "750-363/xxx-xxx",
"product_id": "CSAFPID-11005"
}
},
{
"category": "product_name",
"name": "750-364/xxx-xxx",
"product": {
"name": "750-364/xxx-xxx",
"product_id": "CSAFPID-11006"
}
},
{
"category": "product_name",
"name": "750-365/xxx-xxx",
"product": {
"name": "750-365/xxx-xxx",
"product_id": "CSAFPID-11007"
}
},
{
"category": "product_name",
"name": "750-823",
"product": {
"name": "750-823",
"product_id": "CSAFPID-11008"
}
},
{
"category": "product_name",
"name": "750-829",
"product": {
"name": "750-829",
"product_id": "CSAFPID-11009"
}
},
{
"category": "product_name",
"name": "750-831/000-00x",
"product": {
"name": "750-831/000-00x",
"product_id": "CSAFPID-11010"
}
},
{
"category": "product_name",
"name": "750-832/000-00x",
"product": {
"name": "750-832/000-00x",
"product_id": "CSAFPID-11011"
}
},
{
"category": "product_name",
"name": "750-852",
"product": {
"name": "750-852",
"product_id": "CSAFPID-11012"
}
},
{
"category": "product_name",
"name": "750-862",
"product": {
"name": "750-862",
"product_id": "CSAFPID-11013"
}
},
{
"category": "product_name",
"name": "750-880/0xx-xxx",
"product": {
"name": "750-880/0xx-xxx",
"product_id": "CSAFPID-11014"
}
},
{
"category": "product_name",
"name": "750-881",
"product": {
"name": "750-881",
"product_id": "CSAFPID-11015"
}
},
{
"category": "product_name",
"name": "750-882",
"product": {
"name": "750-882",
"product_id": "CSAFPID-11016"
}
},
{
"category": "product_name",
"name": "750-885/0xx-xxx",
"product": {
"name": "750-885/0xx-xxx",
"product_id": "CSAFPID-11017"
}
},
{
"category": "product_name",
"name": "750-889",
"product": {
"name": "750-889",
"product_id": "CSAFPID-11018"
}
},
{
"category": "product_name",
"name": "750-890/0xx-xxx",
"product": {
"name": "750-890/0xx-xxx",
"product_id": "CSAFPID-11019"
}
},
{
"category": "product_name",
"name": "750-891",
"product": {
"name": "750-891",
"product_id": "CSAFPID-11020"
}
},
{
"category": "product_name",
"name": "750-893",
"product": {
"name": "750-893",
"product_id": "CSAFPID-11021"
}
}
],
"category": "product_family",
"name": "Hardware"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=FW16",
"product": {
"name": "Firmware \u003c=FW16",
"product_id": "CSAFPID-21001"
}
},
{
"category": "product_version_range",
"name": "\u003c=FW09",
"product": {
"name": "Firmware \u003c=FW09",
"product_id": "CSAFPID-21002"
}
},
{
"category": "product_version_range",
"name": "\u003c=FW14",
"product": {
"name": "Firmware \u003c=FW14",
"product_id": "CSAFPID-21003"
}
}
],
"category": "product_family",
"name": "Firmware"
}
],
"category": "vendor",
"name": "WAGO"
}
],
"product_groups": [
{
"group_id": "CSAFGID-0001",
"product_ids": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
],
"summary": "Affected products."
}
],
"relationships": [
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-331",
"product_id": "CSAFPID-31001"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11001"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-332",
"product_id": "CSAFPID-31002"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11002"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-352/xxx-xxx",
"product_id": "CSAFPID-31003"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11003"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-362/xxx-xxx",
"product_id": "CSAFPID-31004"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11004"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-363/xxx-xxx",
"product_id": "CSAFPID-31005"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11005"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-364/xxx-xxx",
"product_id": "CSAFPID-31006"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11006"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-365/xxx-xxx",
"product_id": "CSAFPID-31007"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11007"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-823",
"product_id": "CSAFPID-31008"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11008"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-829",
"product_id": "CSAFPID-31009"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11009"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW14 installed on 750-831/000-00x",
"product_id": "CSAFPID-31010"
},
"product_reference": "CSAFPID-21003",
"relates_to_product_reference": "CSAFPID-11010"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-832/000-00x",
"product_id": "CSAFPID-31011"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11011"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-852",
"product_id": "CSAFPID-31012"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11012"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-862",
"product_id": "CSAFPID-31013"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11013"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-880/0xx-xxx",
"product_id": "CSAFPID-31014"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11014"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-881",
"product_id": "CSAFPID-31015"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11015"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-882",
"product_id": "CSAFPID-31016"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11016"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-885/0xx-xxx",
"product_id": "CSAFPID-31017"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11017"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW16 installed on 750-889",
"product_id": "CSAFPID-31018"
},
"product_reference": "CSAFPID-21001",
"relates_to_product_reference": "CSAFPID-11018"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-890/0xx-xxx",
"product_id": "CSAFPID-31019"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11019"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-891",
"product_id": "CSAFPID-31020"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11020"
},
{
"category": "installed_on",
"full_product_name": {
"name": "Firmware \u003c=FW09 installed on 750-893",
"product_id": "CSAFPID-31021"
},
"product_reference": "CSAFPID-21002",
"relates_to_product_reference": "CSAFPID-11021"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-31344",
"cwe": {
"id": "CWE-843",
"name": "Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network. (FSMD-2021-0004)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalScore": 5.3,
"environmentalSeverity": "MEDIUM",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 5.3,
"temporalSeverity": "MEDIUM",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31344"
},
{
"cve": "CVE-2021-31345",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31345"
},
{
"cve": "CVE-2021-31346",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0007)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31346"
},
{
"cve": "CVE-2021-31881",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0008)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31881"
},
{
"cve": "CVE-2021-31882",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to Denial-of-Service conditions. (FSMD-2021-0011)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31882"
},
{
"cve": "CVE-2021-31883",
"cwe": {
"id": "CWE-119",
"name": "Improper Restriction of Operations within the Bounds of a Memory Buffer"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303). When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to Denial-of-Service conditions. (FSMD-2021-0013)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalScore": 7.5,
"environmentalSeverity": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31883"
},
{
"cve": "CVE-2021-31884",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Capital VSTAR (All versions with enabled Ethernet options), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). The DHCP client application assumes that the data supplied with the \u201cHostname\u201d DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to Out-of-bound reads, writes, and Denial-of-service conditions. (FSMD-2021-0014)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31884"
},
{
"cve": "CVE-2021-31886",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cUSER\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0010)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.8,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31886"
},
{
"cve": "CVE-2021-31887",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cPWD/XPWD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0016)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31887"
},
{
"cve": "CVE-2021-31888",
"cwe": {
"id": "CWE-170",
"name": "Improper Null Termination"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Compact (P2 Ethernet) (All versions \u003c V2.8.19), APOGEE PXC Modular (BACnet) (All versions \u003c V3.5.4), APOGEE PXC Modular (P2 Ethernet) (All versions \u003c V2.8.19), Desigo PXC00-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC00-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC001-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC100-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC12-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC128-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC200-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC22.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC36.1-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC50-E.D (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXC64-U (All versions \u003e= V2.3 and \u003c V6.30.016), Desigo PXM20-E (All versions \u003e= V2.3 and \u003c V6.30.016), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions \u003c V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions \u003c V3.5.4), TALON TC Modular (BACnet) (All versions \u003c V3.5.4). FTP server does not properly validate the length of the \u201cMKD/XMKD\u201d command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. (FSMD-2021-0018)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalScore": 8.8,
"environmentalSeverity": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"temporalSeverity": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31888"
},
{
"cve": "CVE-2021-31889",
"cwe": {
"id": "CWE-191",
"name": "Integer Underflow (Wrap or Wraparound)"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0). Malformed TCP packets with a corrupted SACK option leads to Information Leaks and Denial-of-Service conditions. (FSMD-2021-0015)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31889"
},
{
"cve": "CVE-2021-31890",
"cwe": {
"id": "CWE-240",
"name": "Improper Handling of Inconsistent Structural Elements"
},
"notes": [
{
"category": "description",
"text": "A vulnerability has been identified in Capital Embedded AR Classic 431-422 (All versions), Capital Embedded AR Classic R20-11 (All versions \u003c V2303), PLUSCONTROL 1st Gen (All versions), SIMOTICS CONNECT 400 (All versions \u003c V0.5.0.0), SIMOTICS CONNECT 400 (All versions \u003c V1.0.0.0). The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on the network buffer organization in memory. (FSMD-2021-0017)",
"title": "Vulnerability Description"
}
],
"product_status": {
"known_affected": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
},
"remediations": [
{
"category": "mitigation",
"details": "1. Use general security best practices to protect systems from local and network attacks.\n2. Do not allow direct access to the device from untrusted networks.\n3. Update to the latest firmware according to the table in chapter solutions.\n4. Disable the DHCP, DNS and the FTP port 21.\n5. Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy. The BSI provides general information on securing ICS in the ICS Compendium [BSI2013] and on the official BSI website [BSI2021].\n\nFor fieldbus coupler:\n\n- 750-331\n- 750-352/xxx-xxx\n\nFor PLCs:\n\n- 750-829\n- 750-831/xxx-xxx\n- 750-852\n- 750-880/xxx-xxx\n- 750-881\n- 750-889\n\nThe listed fieldbus coupler and PLCs above are based on Nucleus V1 RTOS. At the moment there are no updates for this version available. Due to this reason WAGO recommends according to the recommendations of the BSI to implement the following measures:\n\n1. Enforce segmentation controls and proper network hygiene to reduce the risk of vulnerable devices. Restrict external communication paths and isolate vulnerable devices in zones as a mitigating measure.\n2. Ensure DHCP responses from non-authorized servers are blocked or discarded.\n3. Monitor network traffic for anomalies and discard invalid packets.\n4. Disable or block FTP, DHCP, DNS especially on critical network segments\n5. Please check regularly https://certvde.com/de/ for an update of this Advisory.",
"group_ids": [
"CSAFGID-0001"
]
},
{
"category": "vendor_fix",
"details": "For fieldbus coupler:\n\n- 750-332\n- 750-362/xxx-xxx\n- 750-363/xxx-xxx\n- 750-364/xxx-xxx\n- 750-365/xxx-xxx\n\nFor PLCs:\n\n- 750-823\n- 750-832/xxx-xxx\n- 750-862\n- 750-890/xxx-xxx\n- 750-891\n- 750-893\n\nWe recommend all effected users to update to the firmware version listed below:\n\n| Article Number | Fixed in Firmware Version | Availability |\n|----------------------|----------------------------|---------------------------|\n| 750-823 | \u003e=FW10 | January 2022 |\n| 750-832/000-00x | \u003e=FW10 | After BACnet certification|\n| 750-862 | \u003e=FW10 | January 2022 |\n| 750-890/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-891 | \u003e=FW10 | January 2022 |\n| 750-893 | \u003e=FW10 | January 2022 |\n| 750-332 | \u003e=FW10 | After BACnet certification|\n| 750-362/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-363/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-364/xxx-xxx | \u003e=FW10 | January 2022 |\n| 750-365/xxx-xxx | \u003e=FW10 | January 2022 |\n\n",
"group_ids": [
"CSAFGID-0001"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalScore": 9.1,
"environmentalSeverity": "CRITICAL",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"temporalSeverity": "CRITICAL",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-31001",
"CSAFPID-31002",
"CSAFPID-31003",
"CSAFPID-31004",
"CSAFPID-31005",
"CSAFPID-31006",
"CSAFPID-31007",
"CSAFPID-31008",
"CSAFPID-31009",
"CSAFPID-31010",
"CSAFPID-31011",
"CSAFPID-31012",
"CSAFPID-31013",
"CSAFPID-31014",
"CSAFPID-31015",
"CSAFPID-31016",
"CSAFPID-31017",
"CSAFPID-31018",
"CSAFPID-31019",
"CSAFPID-31020",
"CSAFPID-31021"
]
}
],
"title": "CVE-2021-31890"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…