CVE-2016-3155

Vulnerability

The Siemens APOGEE Insight software, versions prior to 3.15 [1][2], suffers from an incorrect default permissions vulnerability (CWE-276). The application folder is installed with weak file permissions, which permits any authenticated operating system user to read from and write to the directory containing APOGEE Insight application data [1].

Exploitation

An attacker must have local access to the operating system where APOGEE Insight is installed and be authenticated as a user on that system [1]. No other special privileges are required. Once local access is obtained, the attacker can directly modify files within the APOGEE Insight application folder due to the overly permissive ACLs [1].

Impact

Successful exploitation allows the attacker to modify APOGEE Insight application data [1]. Depending on the altered data, this could lead to unauthorized changes in building management system (BMS) behavior, potentially affecting the confidentiality or integrity of information processed by the software [1]. The attacker does not need administrative rights; standard OS user privileges are sufficient.

Mitigation

Siemens released APOGEE Insight version 3.15 to correct the file permissions [1]. Users should upgrade to version 3.15 or later [1][2]. No workarounds are documented in the available references. The vulnerability is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.