Siemens has new firmware to mitigate an authentication bypass using an alternate path or channel and path traversal vulnerabilities in its BACnet Field Panels product, according to a report with ICS-CERT.
Successful exploitation of these vulnerabilities, which were self-reported by Siemens, could allow unauthenticated attackers with access to the integrated webserver to download sensitive information.
The remotely exploitable vulnerabilities affect the following BACnet field panels:
• APOGEE PXC BACnet Automation Controllers: All versions prior to V3.5
• TALON TC BACnet Automation Controllers: All versions prior to V3.5
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.
An attacker with network access to the integrated web server (Ports 80/TCP and 443/TCP) could bypass the authentication and download sensitive information from the device.
CVE-2017-9946 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
In addition, a directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (Ports 80/TCP and 443/TCP) to obtain information on the structure of the file system of the affected devices.
CVE-2017-9947 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use in the commercial facilities sector. It sees action on a global basis.
Siemens provided firmware Version V3.5 for BACnet Field Panels Advanced modules, which fixes the vulnerabilities, and they recommend that users update to the new fixed version. Users should contact the local service organization for further information on how to obtain and apply V3.5. The web form is available at the following location on the Siemens web site.
For more information on this vulnerability and more detailed mitigation instructions, see Siemens Security Advisory SSA-148078.