CVE-2021-31886

Q: What is the severity of CVE-2021-31886?

CVE-2021-31886 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to exploit a stack-based buffer overflow in the FTP server of Siemens building automation controllers by sending overly long USER commands. This can lead to denial-of-service or remote code execution. Affected systems include Siemens APOGEE, Desigo, TALON, and Nucleus products used in building management systems.

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to exploit a stack-based buffer overflow in the FTP server of Siemens building automation controllers by sending overly long USER commands. This can lead to denial-of-service or remote code execution. Affected systems include Siemens APOGEE, Desigo, TALON, and Nucleus products used in building management systems.

💻 Affected Systems

Products:

APOGEE MBC (PPC)
APOGEE MEC (PPC)
APOGEE PXC Compact
APOGEE PXC Modular
Desigo PXC00-E.D
Desigo PXC00-U
Desigo PXC001-E.D
Desigo PXC100-E.D
Desigo PXC12-E.D
Desigo PXC128-U
Desigo PXC200-E.D
Desigo PXC22-E.D
Desigo PXC22.1-E.D
Desigo PXC36.1-E.D
Desigo PXC50-E.D
Desigo PXC64-U
Desigo PXM20-E
Nucleus NET
Nucleus ReadyStart V3
Nucleus Source Code
TALON TC Compact
TALON TC Modular

Versions: All versions for some products, specific version ranges for others (see description for details)

Operating Systems: Embedded systems running Siemens building automation controllers

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects FTP server component across multiple Siemens building automation product lines. Systems with FTP enabled are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to take control of building automation systems and potentially manipulate physical building controls.

🟠

Likely Case

Denial-of-service causing building management system disruption, potentially affecting HVAC, lighting, and other building automation functions.

🟢

If Mitigated

Limited impact if systems are isolated behind firewalls with strict network segmentation and FTP access is disabled.

🌐 Internet-Facing: HIGH - FTP servers exposed to the internet can be directly exploited without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specially crafted USER command to the FTP server. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: APOGEE PXC Compact: V3.5.4 (BACnet), V2.8.19 (P2 Ethernet); APOGEE PXC Modular: V3.5.4 (BACnet), V2.8.19 (P2 Ethernet); Desigo products: V6.30.016; Nucleus ReadyStart: V2017.02.4

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf

Restart Required: Yes

Instructions:

1. Identify affected Siemens products and versions. 2. Download appropriate firmware updates from Siemens support portal. 3. Apply updates following Siemens documentation. 4. Restart affected devices. 5. Verify successful update.

🔧 Temporary Workarounds

Disable FTP Service

all

Disable FTP server functionality on affected devices if not required for operations.

Configuration varies by device - consult Siemens documentation for disabling FTP services

Network Segmentation

all

Isolate building automation systems from untrusted networks using firewalls.

Configure firewall rules to block FTP (port 21) access from untrusted networks

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks
Disable FTP services entirely and use alternative secure file transfer methods

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected versions list. Test FTP service response to long USER commands.

Check Version:

Device-specific commands vary - consult Siemens documentation for version checking on specific controllers

Verify Fix Applied:

Verify firmware version has been updated to patched versions. Test that FTP server properly validates USER command length.

📡 Detection & Monitoring

Log Indicators:

FTP server crashes
Unusually long USER commands in FTP logs
Multiple failed FTP connection attempts

Network Indicators:

Excessive FTP traffic to building automation controllers
FTP connections with abnormally long commands

SIEM Query:

source="ftp_logs" AND (command="USER" AND length>100) OR (event="crash" AND service="ftp")

📊 Metadata

CVE ID: CVE-2021-31886

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-170

Published: November 9, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-114589.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Apogee Modular Building Controller Firmware by Siemens

Apogee Modular Equiment Controller Firmware by Siemens

Apogee Pxc Compact Firmware by Siemens

Apogee Pxc Compact Firmware by Siemens

Apogee Pxc Modular Firmware by Siemens

Apogee Pxc Modular Firmware by Siemens

Desigo Pxc00 E.d Firmware by Siemens

Desigo Pxc00 U Firmware by Siemens

Desigo Pxc001 E.d Firmware by Siemens

Desigo Pxc100 E.d Firmware by Siemens

Desigo Pxc12 E.d Firmware by Siemens

Desigo Pxc128 U Firmware by Siemens

Desigo Pxc200 E.d Firmware by Siemens

Desigo Pxc22 E.d Firmware by Siemens

Desigo Pxc22.1 E.d Firmware by Siemens

Desigo Pxc36.1 E.d Firmware by Siemens

Desigo Pxc50 E.d Firmware by Siemens

Desigo Pxc64 U Firmware by Siemens

Desigo Pxm20 E Firmware by Siemens

Nucleus Net by Siemens

Nucleus Readystart V3 by Siemens

Nucleus Source Code by Siemens

Talon Tc Compact Firmware by Siemens

Talon Tc Modular Firmware by Siemens