Flaws in Siemens Building Automation Controllers open to hack. Fix them asap

Siemens has released a firmware update that addresses two vulnerabilities in its BACnet Field Panel building automation controllers.

This week Siemens has released a firmware update for its BACnet Field Panel building automation products that solved two vulnerabilities, one of which is classified as high severity.

The vulnerabilities affect APOGEE PXC and TALON TC BACnet automation controllers running a version of the firmware prior to 3.5. Both families of affected devices are widely used in commercial facilities to control a  heating, ventilation and air conditioning (HVAC) equipment.

BACnet Field Panel building automation controllers

This flaw, tracked as CVE-2017-9946, is classified as high severity and obtained a CVSS score of 7.5.

According to the security advisory published by the US-CERT, an unauthenticated with access to the integrated webserver attacker can trigger the flaws to download sensitive information.

“Successful exploitation of these vulnerabilities could allow unauthenticated attackers with access to the integrated webserver to download sensitive information.” states the US-CERT.

The BACnet Field Panel allows facility operators to easily configure, monitor and control the automation controllers. The attackers can bypass the authentication mechanism to download sensitive information from a device.

The company downplayed the flaw because the attacker requires network access to the web server.

A second security vulnerability tracked as CVE-2017-9947 is a directory traversal issue that could be exploited by an attacker to obtain information on the structure of the file system on vulnerable devices. It is requested the network access to the web server for the exploitation also of this vulnerability.

Below the information provided by Siemens:

“Vulnerability 1 (CVE-2017-9946) –  An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.
CVSS Base Score 7.5 
CVSS Vector CVSS:3.0″

and
“Vulnerability 2 (CVE-2017-9947) – A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.
CVSS Base Score 5.3
CVSS Vector CVSS:3.0″

Siemens addressed both vulnerabilities with the release of firmware version 3.5 for BACnet Field Panel Advanced modules.

Source:http://securityaffairs.co/wordpress/64330/hacking/siemens-building-automation-controllers-flaws.html