Skip to main content

CVE-2022-38371: CWE-400: Uncontrolled Resource Consumption in Siemens APOGEE MBC (PPC) (BACnet)

High
VulnerabilityCVE-2022-38371cvecve-2022-38371cwe-400
Published: Tue Oct 11 2022 (10/11/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Siemens
Product: APOGEE MBC (PPC) (BACnet)

Description

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.7), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.21), APOGEE PXC Modular (BACnet) (All versions < V3.5.7), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.21), Desigo PXC00-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC00-U (All versions >= V2.3 < V6.30.37), Desigo PXC001-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC100-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC12-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC128-U (All versions >= V2.3 < V6.30.37), Desigo PXC200-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC22-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC50-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC64-U (All versions >= V2.3 < V6.30.37), Desigo PXM20-E (All versions >= V2.3 < V6.30.37), Nucleus NET for Nucleus PLUS V1 (All versions < V5.2a), Nucleus NET for Nucleus PLUS V2 (All versions < V5.4), Nucleus ReadyStart V3 V2012 (All versions < V2012.08.1), Nucleus ReadyStart V3 V2017 (All versions < V2017.02.4), Nucleus Source Code (All versions including affected FTP server), TALON TC Compact (BACnet) (All versions < V3.5.7), TALON TC Modular (BACnet) (All versions < V3.5.7). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.

AI-Powered Analysis

AILast updated: 07/04/2025, 21:25:22 UTC

Technical Analysis

CVE-2022-38371 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple Siemens industrial control products, specifically those in the APOGEE and Desigo PXC series, as well as related Nucleus and TALON products. The root cause lies in the FTP server component embedded within these devices, which fails to properly release memory resources allocated for incomplete FTP connection attempts. This flaw can be exploited remotely without authentication or user interaction, allowing an attacker to initiate numerous incomplete FTP connections that consume memory resources on the device. Over time, this leads to resource exhaustion, causing denial of service (DoS) conditions that can disrupt the normal operation of critical building automation and industrial control systems. The affected products span a wide range of versions, with many versions prior to specific patches being vulnerable. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). No known exploits in the wild have been reported yet, but the vulnerability presents a significant risk given the critical nature of the affected systems in industrial environments.

Potential Impact

For European organizations, the impact of this vulnerability is substantial, especially for those operating critical infrastructure, manufacturing plants, and large commercial buildings that rely on Siemens APOGEE and Desigo PXC systems for building automation and process control. A successful DoS attack could lead to system outages, loss of control over HVAC, lighting, and other building management functions, potentially causing operational disruptions, safety hazards, and financial losses. Given that these systems often integrate with other industrial control systems, the downtime could cascade, affecting broader operational technology environments. Additionally, disruption in critical infrastructure sectors such as energy, transportation, and healthcare facilities could have wider societal impacts. The lack of confidentiality or integrity compromise reduces the risk of data breaches but does not diminish the operational risk posed by availability loss. The remote and unauthenticated nature of the exploit increases the threat level, as attackers can launch attacks from anywhere without needing insider access.

Mitigation Recommendations

To mitigate this vulnerability effectively, European organizations should: 1) Immediately identify and inventory all Siemens APOGEE, Desigo PXC, Nucleus, and TALON devices in their environment to assess exposure. 2) Apply Siemens-provided patches or firmware updates as soon as they become available, prioritizing devices with FTP server functionality. 3) If patches are not yet available, implement network-level controls such as firewall rules to restrict access to the FTP service ports from untrusted networks, ideally limiting FTP access to trusted management networks only. 4) Monitor network traffic for unusual patterns indicative of incomplete FTP connections or resource exhaustion attempts. 5) Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect and block anomalous FTP connection behaviors. 6) Consider disabling the FTP server component if it is not required for operational purposes. 7) Establish incident response procedures to quickly respond to potential DoS attacks targeting these devices. 8) Engage with Siemens support and subscribe to their security advisories to stay informed about updates and mitigation guidance. These steps go beyond generic advice by focusing on network segmentation, active monitoring, and operational controls tailored to the industrial environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
siemens
Date Reserved
2022-08-16T00:00:00
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd6695

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/4/2025, 9:25:22 PM

Last updated: 8/17/2025, 11:06:48 PM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats