Siemens has released a firmware update for its BACnet Field Panel building automation products to address two vulnerabilities, including one classified as high severity.
The flaws, apparently discovered by Siemens itself, affect APOGEE PXC and TALON TC BACnet automation controllers running a version of the firmware prior to 3.5. The affected devices are used worldwide in commercial facilities to control a wide range of heating, ventilation and air conditioning (HVAC) equipment.
The BACnet Field Panel provides a web server and a user interface that allow facility operators to easily configure, monitor and control the automation controllers.
One problem found by Siemens in these products is that the authentication mechanism can be bypassed and an attacker can download sensitive information from a device. However, the vendor has pointed out that the attacker requires network access to the web server, which is accessible on TCP ports 80 and 443, in order to exploit the flaw.
This vulnerability is tracked as CVE-2017-9946 and it’s considered high severity with a CVSS score of 7.5.
The second security hole, tracked as CVE-2017-9947 with a severity rating of “medium,” is a directory traversal issue that allows an attacker to obtain information on the structure of the file system on affected devices. This vulnerability also requires network access to the web server for exploitation.
While Siemens has not specified what kind of information is exposed, these types of vulnerabilities can often allow attackers to obtain information that could help them mount further attacks on the system.
Siemens addressed the flaws with the release of firmware version 3.5 for BACnet Field Panel Advanced modules. Affected organizations have been advised to contact their local service for information on how to obtain the patch.