CVE-2021-41545 – A vulnerability in Siemens Desigo building auto... (How to Fix)

Q: How do I fix CVE-2021-41545?

1. Download firmware update from Siemens support portal. 2. Backup controller configuration. 3. Apply firmware update following vendor documentation. 4. Restart controller. 5. Restore configuration if needed. 6. Verify BACnet communication functionality.

Q: What is the severity of CVE-2021-41545?

CVE-2021-41545 has a CVSS score of 7.5 (HIGH). A vulnerability in Siemens Desigo building automation controllers allows attackers to send a specially crafted BACnet protocol packet that causes the BACnet communication function to fail, potentially forcing the controller into a factory reset state. This affects Desigo DXR2, PXC3, PXC4, and PXC5 controllers running vulnerable versions. Attackers could disrupt building automation systems including HVAC, lighting, and access control.

📋 TL;DR

A vulnerability in Siemens Desigo building automation controllers allows attackers to send a specially crafted BACnet protocol packet that causes the BACnet communication function to fail, potentially forcing the controller into a factory reset state. This affects Desigo DXR2, PXC3, PXC4, and PXC5 controllers running vulnerable versions. Attackers could disrupt building automation systems including HVAC, lighting, and access control.

💻 Affected Systems

Products:

Desigo DXR2
Desigo PXC3
Desigo PXC4
Desigo PXC5

Versions: DXR2: < V01.21.142.5-22, PXC3: < V01.21.142.4-18, PXC4/PXC5: < V02.20.142.10-10884

Operating Systems: Embedded controller firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All vulnerable versions with BACnet communication enabled are affected. Factory reset state may require physical access to restore.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Controller performs factory reset, losing all configuration and causing building automation systems to fail until manually reconfigured, potentially affecting safety-critical systems.

🟠

Likely Case

BACnet communication disruption causing loss of monitoring/control for building systems, requiring manual intervention to restore functionality.

🟢

If Mitigated

Limited to isolated network segments with proper segmentation and monitoring, minimizing operational impact.

🌐 Internet-Facing: MEDIUM - While BACnet is typically on internal networks, misconfigured or exposed systems could be vulnerable from internet.

🏢 Internal Only: HIGH - Building automation networks often have poor segmentation, allowing lateral movement from compromised IT networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires sending specific BACnet packet to vulnerable port.

Exploitation requires network access to BACnet port (typically 47808). No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DXR2: V01.21.142.5-22, PXC3: V01.21.142.4-18, PXC4/PXC5: V02.20.142.10-10884

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-662649.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Siemens support portal. 2. Backup controller configuration. 3. Apply firmware update following vendor documentation. 4. Restart controller. 5. Restore configuration if needed. 6. Verify BACnet communication functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate BACnet traffic to separate VLAN with strict firewall rules.

Access Control Lists

all

Implement network ACLs to restrict BACnet traffic to authorized sources only.

🧯 If You Can't Patch

Segment building automation network from corporate IT network using firewalls with strict rules
Implement network monitoring for unusual BACnet traffic patterns and reset attempts

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via web interface or local display against affected versions list.

Check Version:

Check via controller web interface or local display - no universal CLI command available.

Verify Fix Applied:

Verify firmware version matches patched versions and test BACnet communication functionality.

📡 Detection & Monitoring

Log Indicators:

Controller logs showing BACnet communication failures
Unexpected factory reset events
Configuration loss alerts

Network Indicators:

Unusual BACnet traffic to port 47808
Multiple reset packets from single source
BACnet communication disruption patterns

SIEM Query:

source="bacnet_traffic" AND (dest_port=47808 AND packet_size=[specific]) OR event_type="controller_reset"

📊 Metadata

CVE ID: CVE-2021-41545

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-248

Published: May 10, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-662649.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-662649.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41545, you might also want to check these: