CVE-2022-38371

Vulnerability

The FTP server component within Siemens Nucleus NET (versions for Nucleus PLUS V1 < V5.2a, V2 < V5.4), Nucleus ReadyStart V3 V2012 < V2012.08.1, V3 V2017 < V2017.02.4, and Nucleus Source Code including the affected FTP server) does not properly release memory resources reserved for incomplete connection attempts by FTP clients. This affects a wide range of building automation devices including APOGEE PXC Compact and Modular (BACnet and P2 Ethernet) versions below V3.5.7 and V2.8.21 respectively, Desigo PXC00/64/128-U and other Desigo models (≥V2.3 < V6.30.37), TALON TC Compact/Modular (BACnet) < V3.5.7, and several APOGEE MBC/MEC (PPC) and PXM20-E devices on all versions [1][2].

Exploitation

A remote attacker can repeatedly initiate FTP connection attempts without completing the handshake. The FTP server reserves memory for each such attempt but fails to release it upon incomplete connections, allowing the attacker to exhaust available memory resources over time. No authentication or specific privileges are required beyond network access to the vulnerable FTP service [1].

Impact

Successful exploitation leads to a denial of service (DoS) condition on the affected device. The memory exhaustion can cause the device to become unresponsive or crash, disrupting building automation or other operations that rely on the compromised controller or RTOS [1].

Mitigation

Siemens has released updates for several product families: APOGEE PXC Compact/Modular should be updated to V3.5.7 (BACnet) or V2.8.21 (P2 Ethernet); Desigo models to V6.30.37; and Nucleus NET/Nucleus ReadyStart to the versions listed in the advisory. For products where no fix is yet available (APOGEE MBC/MEC (PPC), Nucleus Source Code, TALON TC, and earlier Nucleus versions), Siemens recommends configuring TCP_MAX_KEEPALIVES to a lower value (e.g., 3) and setting TCP_KEEPALIVE_INTERVAL and TCP_KEEPALIVE_DELAY to 3 seconds, as well as rebooting devices after any attack [1][2].