CVE-2022-38371

EPSS 0.51%
Veröffentlicht 11.10.2022 11:15:10
Zuletzt bearbeitet 08.04.2025 09:15:15
Quelle productcert@siemens.com
Teams Watchlist Login
Unerledigt Login

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions < V3.5.7), APOGEE PXC Compact (P2 Ethernet) (All versions < V2.8.21), APOGEE PXC Modular (BACnet) (All versions < V3.5.7), APOGEE PXC Modular (P2 Ethernet) (All versions < V2.8.21), Desigo PXC00-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC00-U (All versions >= V2.3 < V6.30.37), Desigo PXC001-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC100-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC12-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC128-U (All versions >= V2.3 < V6.30.37), Desigo PXC200-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC22-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC22.1-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC36.1-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC50-E.D (All versions >= V2.3 < V6.30.37), Desigo PXC64-U (All versions >= V2.3 < V6.30.37), Desigo PXM20-E (All versions >= V2.3 < V6.30.37), Nucleus NET for Nucleus PLUS V1 (All versions < V5.2a), Nucleus NET for Nucleus PLUS V2 (All versions < V5.4), Nucleus ReadyStart V3 V2012 (All versions < V2012.08.1), Nucleus ReadyStart V3 V2017 (All versions < V2017.02.4), Nucleus Source Code (All versions including affected FTP server), TALON TC Compact (BACnet) (All versions < V3.5.7), TALON TC Modular (BACnet) (All versions < V3.5.7). The FTP server does not properly release memory resources that were reserved for incomplete connection attempts by FTP clients. This could allow a remote attacker to generate a denial of service condition on devices that incorporate a vulnerable version of the FTP server.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Siemens ≫ Nucleus Net

Siemens ≫ Nucleus Readystart V3

Siemens ≫ Nucleus Source Code Version-

Siemens ≫ Apogee Modular Building Controller Firmware

Siemens ≫ Apogee Modular Building Controller Version-

Siemens ≫ Apogee Modular Equiment Controller Firmware

Siemens ≫ Apogee Modular Equiment Controller Version-

Siemens ≫ Apogee Pxc Compact Firmware

Siemens ≫ Apogee Pxc Compact Version-

Siemens ≫ Apogee Pxc Modular Firmware

Siemens ≫ Apogee Pxc Modular Version-

Siemens ≫ Desigo Pxc00-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc00-e.D Version-

Siemens ≫ Desigo Pxc00-u Firmware Version <= 2.3

Siemens ≫ Desigo Pxc00-u Version-

Siemens ≫ Desigo Pxc001-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc001-e.D Version-

Siemens ≫ Desigo Pxc12-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc12-e.D Version-

Siemens ≫ Desigo Pxc22-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc22-e.D Version-

Siemens ≫ Desigo Pxc22.1-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc22.1-e.D Version-

Siemens ≫ Desigo Pxc36.1-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc36.1-e.D Version-

Siemens ≫ Desigo Pxc50-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc50-e.D Version-

Siemens ≫ Desigo Pxc64-u Firmware Version <= 2.3

Siemens ≫ Desigo Pxc64-u Version-

Siemens ≫ Desigo Pxc100-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc100-e.D Version-

Siemens ≫ Desigo Pxc128-u Firmware Version <= 2.3

Siemens ≫ Desigo Pxc128-u Version-

Siemens ≫ Desigo Pxc200-e.D Firmware Version <= 2.3

Siemens ≫ Desigo Pxc200-e.D Version-

Siemens ≫ Desigo Pxm20-e Firmware Version <= 2.3

Siemens ≫ Desigo Pxm20-e Version-

Siemens ≫ Talon Tc Compact Firmware

Siemens ≫ Talon Tc Compact Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.51%	0.655

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
productcert@siemens.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
productcert@siemens.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

https://cert-portal.siemens.com/productcert/html/ssa-313313.html

https://cert-portal.siemens.com/productcert/html/ssa-935500.html

https://cert-portal.siemens.com/productcert/pdf/ssa-313313.pdf

Patch

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-935500.pdf

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-38371

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-38371

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-38371

EUVD