Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Rewterz Threat Alert – FormBook Malware – Active IOCs
November 12, 2021
Rewterz
Rewterz Threat Advisory – CVE-2021-40444 MSHTML Vulnerability Exploited in Spam Campaign
November 12, 2021

Rewterz Threat Advisory – ICS: Siemens Nucleus RTOS-based APOGEE and TALON Products

Severity

High

Analysis Summary

CVE-2021-31344

ICMP echo packets with fake IP options allow sending ICMP echo reply messages to arbitrary hosts on the network.

CVE-2021-31345

The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including information leaks, depending on a user-defined application that runs on top of the UDP protocol.

CVE-2021-31346

The total length of an ICMP payload (set in the IP header) is unchecked. This may lead to various side effects, including information leaks and denial-of-service conditions, depending on the network buffer organization in memory.

CVE-2021-31881 

When processing a DHCP OFFER message, the DHCP client application does not validate the length of the Vendor option(s), leading to denial-of-service conditions. 

CVE-2021-31882 

The DHCP client application does not validate the length of the Domain Name Server IP option(s) (0x06) when processing DHCP ACK packets. This may lead to denial-of-service conditions. 

CVE-2021-31883 

When processing a DHCP ACK message, the DHCP client application does not validate the length of the Vendor option(s), leading to denial-of-service conditions. 

CVE-2021-31884 

The DHCP client application assumes the data supplied with the “Hostname” DHCP option is NULL terminated. In cases when global hostname variable is not defined, this may lead to out-of-bound reads, writes, and denial-of-service conditions. 

CVE-2021-31885 

TFTP server application allows for reading the contents of the TFTP memory buffer via sending malformed TFTP commands. 

CVE-2021-31886 

FTP server does not properly validate the length of the “USER” command, leading to stack-based buffer overflows. This may result in denial-of-service conditions and remote code execution. 

CVE-2021-31887 

FTP server does not properly validate the length of the “PWD/XPWD” command, leading to stack-based buffer overflows. This may result in denial-of-service conditions and remote code execution. 

CVE-2021-31888 

FTP server does not properly validate the length of the “MKD/XMKD” command, leading to stack-based buffer overflows. This may result in denial-of-service conditions and remote code execution. 

CVE-2021-31889 

Malformed TCP packets with a corrupted SACK option leads to denial-of-service conditions. 

CVE-2021-31890 

The total length of an TCP payload (set in the IP header) is unchecked. This may lead to various side effects, including denial-of-service conditions, depending on the network buffer organization in memory.

Impact

  • Denial of Service
  • Remote Code Execution

Affected Vendors

  • Siemens

Affected Products

  • APOGEE MBC (PPC) (BACnet): All versions
  • APOGEE MBC (PPC) (P2 Ethernet): All versions
  • APOGEE MEC (PPC) (BACnet): All versions
  • APOGEE MEC (PPC) (P2 Ethernet): All versions
  • APOGEE PXC Compact (BACnet): All versions
  • APOGEE PXC Compact (P2 Ethernet): All versions
  • APOGEE PXC Modular (BACnet): All versions
  • APOGEE PXC Modular (P2 Ethernet): All versions
  • TALON TC Compact (BACnet): All versions
  • TALON TC Modular (BACnet): All versions

Remediation

Refer to CISA Advisory for the patch, upgrade, or suggested workaround information.

https://us-cert.cisa.gov/ics/advisories/icsa-21-315-07