CVE-2021-31888
📋 TL;DR
This vulnerability affects Siemens building automation controllers and related products. It allows attackers to exploit a buffer overflow in the FTP server via specially crafted MKD/XMKD commands, potentially leading to remote code execution or denial of service. All listed Siemens APOGEE, Desigo, Nucleus, and TALON products with vulnerable FTP configurations are affected.
💻 Affected Systems
- APOGEE MBC (PPC) (BACnet)
- APOGEE MBC (PPC) (P2 Ethernet)
- APOGEE MEC (PPC) (BACnet)
- APOGEE MEC (PPC) (P2 Ethernet)
- APOGEE PXC Compact (BACnet)
- APOGEE PXC Compact (P2 Ethernet)
- APOGEE PXC Modular (BACnet)
- APOGEE PXC Modular (P2 Ethernet)
- Desigo PXC00-E.D
- Desigo PXC00-U
- Desigo PXC001-E.D
- Desigo PXC100-E.D
- Desigo PXC12-E.D
- Desigo PXC128-U
- Desigo PXC200-E.D
- Desigo PXC22-E.D
- Desigo PXC22.1-E.D
- Desigo PXC36.1-E.D
- Desigo PXC50-E.D
- Desigo PXC64-U
- Desigo PXM20-E
- Nucleus NET
- Nucleus ReadyStart V3
- Nucleus Source Code
- TALON TC Compact (BACnet)
- TALON TC Modular (BACnet)
📦 What is this software?
Apogee Modular Building Controller Firmware by Siemens
View all CVEs affecting Apogee Modular Building Controller Firmware →
Apogee Modular Equiment Controller Firmware by Siemens
View all CVEs affecting Apogee Modular Equiment Controller Firmware →
Nucleus Net by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full system control via remote code execution, potentially compromising building automation systems and adjacent networks.
Likely Case
Denial of service causing building automation system disruption, with potential for limited remote code execution in specific configurations.
If Mitigated
Minimal impact if FTP service is disabled or network access is restricted; systems remain functional with proper segmentation.
🎯 Exploit Status
Exploitation requires network access to FTP port (typically 21). No authentication needed for the vulnerable command.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: APOGEE PXC Compact/MODULAR: V3.5.4 (BACnet) or V2.8.19 (P2 Ethernet); Desigo PXC: V6.30.016; Nucleus ReadyStart: V2017.02.4
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-044112.pdf
Restart Required: Yes
Instructions:
1. Identify affected product and version. 2. Download appropriate firmware update from Siemens support portal. 3. Apply update following vendor documentation. 4. Restart device. 5. Verify update applied successfully.
🔧 Temporary Workarounds
Disable FTP Service
allDisable the FTP server if not required for operations
Consult Siemens documentation for disabling FTP service on specific device models
Network Segmentation
allRestrict network access to FTP ports using firewalls
iptables -A INPUT -p tcp --dport 21 -j DROP
netsh advfirewall firewall add rule name="Block FTP" dir=in action=block protocol=TCP localport=21
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected devices from untrusted networks
- Deploy intrusion detection systems to monitor for FTP exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against vulnerable ranges in Siemens advisories. Test FTP service response to MKD commands.Check Version:
Consult Siemens device documentation for version checking commands (varies by product)Verify Fix Applied:
Confirm firmware version is updated to patched versions listed in vendor advisory. Verify FTP service behavior with test commands.📡 Detection & Monitoring
Log Indicators:
- Unusual FTP connection attempts
- Multiple failed MKD/XMKD commands
- FTP service crashes or restarts
Network Indicators:
- Unusual traffic to FTP port 21 from unexpected sources
- Malformed FTP commands in network captures
SIEM Query:
source="ftp.log" AND (command="MKD" OR command="XMKD") AND length>normal