Login Sign Up

CVE-2021-31884

9.8 CRITICAL
Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability affects Siemens building automation controllers and related products. It allows attackers to exploit a DHCP client flaw where the hostname option isn't properly null-terminated, potentially leading to out-of-bounds memory operations. This can result in denial-of-service, information disclosure, or remote code execution on affected systems.

💻 Affected Systems

Products:
  • APOGEE MBC (PPC)
  • APOGEE MEC (PPC)
  • APOGEE PXC Compact
  • APOGEE PXC Modular
  • Capital VSTAR
  • Desigo PXC00-E.D
  • Desigo PXC00-U
  • Desigo PXC001-E.D
  • Desigo PXC100-E.D
  • Desigo PXC12-E.D
  • Desigo PXC128-U
  • Desigo PXC200-E.D
  • Desigo PXC22-E.D
  • Desigo PXC22.1-E.D
  • Desigo PXC36.1-E.D
  • Desigo PXC50-E.D
  • Desigo PXC64-U
  • Desigo PXM20-E
  • Nucleus NET
  • Nucleus ReadyStart V3
  • Nucleus Source Code
  • TALON TC Compact
  • TALON TC Modular
Versions: All versions for some products, specific version ranges for others (e.g., APOGEE PXC Compact < V3.5.4 for BACnet, < V2.8.19 for P2 Ethernet; Desigo products >= V2.3 and < V6.30.016)
Operating Systems: Embedded systems running Siemens building automation software
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both BACnet and P2 Ethernet variants. Requires DHCP client functionality to be enabled and receiving malicious DHCP responses.

📦 What is this software?

Apogee Modular Building Controller Firmware by Siemens

View all CVEs affecting Apogee Modular Building Controller Firmware →

Apogee Modular Equiment Controller Firmware by Siemens

View all CVEs affecting Apogee Modular Equiment Controller Firmware →

Apogee Pxc Compact Firmware by Siemens

View all CVEs affecting Apogee Pxc Compact Firmware →

Apogee Pxc Compact Firmware by Siemens

View all CVEs affecting Apogee Pxc Compact Firmware →

Apogee Pxc Modular Firmware by Siemens

View all CVEs affecting Apogee Pxc Modular Firmware →

Apogee Pxc Modular Firmware by Siemens

View all CVEs affecting Apogee Pxc Modular Firmware →

Capital Vstar by Siemens

View all CVEs affecting Capital Vstar →

Desigo Pxc00 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc00 E.d Firmware →

Desigo Pxc00 U Firmware by Siemens

View all CVEs affecting Desigo Pxc00 U Firmware →

Desigo Pxc001 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc001 E.d Firmware →

Desigo Pxc100 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc100 E.d Firmware →

Desigo Pxc12 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc12 E.d Firmware →

Desigo Pxc128 U Firmware by Siemens

View all CVEs affecting Desigo Pxc128 U Firmware →

Desigo Pxc200 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc200 E.d Firmware →

Desigo Pxc22 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc22 E.d Firmware →

Desigo Pxc22.1 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc22.1 E.d Firmware →

Desigo Pxc36.1 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc36.1 E.d Firmware →

Desigo Pxc50 E.d Firmware by Siemens

View all CVEs affecting Desigo Pxc50 E.d Firmware →

Desigo Pxc64 U Firmware by Siemens

View all CVEs affecting Desigo Pxc64 U Firmware →

Desigo Pxm20 E Firmware by Siemens

View all CVEs affecting Desigo Pxm20 E Firmware →

Nucleus Net by Siemens

View all CVEs affecting Nucleus Net →

Nucleus Readystart V3 by Siemens

View all CVEs affecting Nucleus Readystart V3 →

Nucleus Source Code by Siemens

View all CVEs affecting Nucleus Source Code →

Talon Tc Compact Firmware by Siemens

View all CVEs affecting Talon Tc Compact Firmware →

Talon Tc Modular Firmware by Siemens

View all CVEs affecting Talon Tc Modular Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to manipulate building automation systems, disrupt operations, or pivot to other network segments.

🟠

Likely Case

Denial-of-service conditions causing building automation controllers to crash or become unresponsive, disrupting HVAC, lighting, or other building management functions.

🟢

If Mitigated

Limited impact if systems are isolated from untrusted networks and DHCP is controlled, though risk remains from internal threats.

🌐 Internet-Facing: HIGH - Many building automation systems are exposed to networks with DHCP services, and CVSS 9.8 indicates critical remote exploitability.
🏢 Internal Only: HIGH - Internal DHCP servers can still trigger the vulnerability, and building automation networks often have limited security controls.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to send malicious DHCP responses. No authentication needed as DHCP is typically unauthenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.5.4 for APOGEE PXC Compact/Modular (BACnet), V2.8.19 for APOGEE PXC Compact/Modular (P2 Ethernet), V6.30.016 for Desigo products, V2017.02.4 for Nucleus ReadyStart V3

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

Restart Required: Yes

Instructions:

1. Identify affected products and versions. 2. Download appropriate firmware updates from Siemens Industrial Security. 3. Apply updates following Siemens' building automation update procedures. 4. Restart affected controllers. 5. Verify successful update and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate building automation systems from untrusted networks and implement strict network controls.

DHCP Server Hardening

all

Configure trusted DHCP servers to only provide valid, properly formatted hostname options.

🧯 If You Can't Patch

  • Segment building automation networks completely from corporate/IT networks
  • Implement strict firewall rules blocking unnecessary traffic to/from affected controllers
  • Monitor for unusual DHCP traffic or controller crashes

🔍 How to Verify

Check if Vulnerable:

Check controller firmware versions against affected version lists. Review Siemens security advisories SSA-044112, SSA-114589, SSA-620288 for specific product mappings.

Check Version:

Product-specific commands vary. Typically accessed through Siemens building automation management software or controller web interfaces.

Verify Fix Applied:

Verify firmware version is at or above patched versions: V3.5.4, V2.8.19, V6.30.016, or V2017.02.4 depending on product.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected controller restarts or crashes
  • DHCP request/response anomalies in network logs
  • Memory error messages in controller logs

Network Indicators:

  • Unusual DHCP traffic to building automation controllers
  • Malformed DHCP packets with manipulated hostname options

SIEM Query:

Search for: (event_category:dhcp AND (hostname_length > normal) OR (malformed_dhcp)) OR (device_type:building_automation AND (crash OR restart))

📊 Metadata

CVE ID: CVE-2021-31884
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-170
Published: November 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31884, you might also want to check these:

CVE-2021-1469 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms allow attackers...

Same vulnerability type (CWE-170)
CVE-2021-1411 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms could allow att...

Same vulnerability type (CWE-170)
CVE-2021-1418 9.9

Multiple vulnerabilities in Cisco Jabber across Windows, macOS, and mobile platforms allow attackers...

Same vulnerability type (CWE-170)