CVE-2021-27391 — CRITICAL (9.8)

Q: How severe is CVE-2021-27391?

CVE-2021-27391 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-27391?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Apogee Mbc \(Ppc\) \(P2 Ethernet\) Firmware, Siemens Apogee Mbc \(Ppc\) \(P2 Ethernet\), Siemens Apogee Mec \(Ppc\) \(P2 Ethernet\) Firmware, Siemens Apogee Mec \(Ppc\) \(P2 Ethernet\), Siemens Apogee Pxc Bacnet Automation Controller Firmware.

Vulnerability Description

A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3.5.3), APOGEE PXC Compact (P2 Ethernet) (All versions >= V2.8), APOGEE PXC Modular (BACnet) (All versions < V3.5.3), APOGEE PXC Modular (P2 Ethernet) (All versions >= V2.8), TALON TC Compact (BACnet) (All versions < V3.5.3), TALON TC Modular (BACnet) (All versions < V3.5.3). The web server of affected devices lacks proper bounds checking when parsing the Host parameter in HTTP requests, which could lead to a buffer overflow. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code on the device with root privileges.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Siemens	Apogee Mbc \(Ppc\) \(P2 Ethernet\) Firmware	<= 2.6.3
Siemens	Apogee Mbc \(Ppc\) \(P2 Ethernet\)	All versions
Siemens	Apogee Mec \(Ppc\) \(P2 Ethernet\) Firmware	<= 2.6.3
Siemens	Apogee Mec \(Ppc\) \(P2 Ethernet\)	All versions
Siemens	Apogee Pxc Bacnet Automation Controller Firmware	< 3.5.3
Siemens	Apogee Pxc Bacnet Automation Controller	-
Siemens	Apogee Pxc Compact \(P2 Ethernet\) Firmware	<= 2.8
Siemens	Apogee Pxc Compact \(P2 Ethernet\)	All versions
Siemens	Apogee Pxc Modular \(Bacnet\) Firmware	< 3.5.3
Siemens	Apogee Pxc Modular \(Bacnet\)	All versions
Siemens	Apogee Pxc Modular \(P2 Ethernet\) Firmware	<= 2.8
Siemens	Apogee Pxc Modular \(P2 Ethernet\)	All versions
Siemens	Talon Tc Compact \(Bacnet\) Firmware	< 3.5.3
Siemens	Talon Tc Compact \(Bacnet\)	All versions
Siemens	Talon Tc Modular \(Bacnet\) Firmware	< 3.5.3
Siemens	Talon Tc Modular \(Bacnet\)	All versions

Related Weaknesses (CWE)

CWE-120

References

https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdfPatchVendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-944498.pdfPatchVendor Advisory

FAQ

What is CVE-2021-27391?

CVE-2021-27391 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A vulnerability has been identified in APOGEE MBC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE MEC (PPC) (P2 Ethernet) (All versions >= V2.6.3), APOGEE PXC Compact (BACnet) (All versions < V3....

How severe is CVE-2021-27391?

CVE-2021-27391 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-27391?

Check the references section above for vendor advisories and patch information. Affected products include: Siemens Apogee Mbc \(Ppc\) \(P2 Ethernet\) Firmware, Siemens Apogee Mbc \(Ppc\) \(P2 Ethernet\), Siemens Apogee Mec \(Ppc\) \(P2 Ethernet\) Firmware, Siemens Apogee Mec \(Ppc\) \(P2 Ethernet\), Siemens Apogee Pxc Bacnet Automation Controller Firmware.