CVE-2021-31345 in APOGEE MBCinfo

Summary

by MITRE • 11/09/2021

A vulnerability has been identified in APOGEE MBC (PPC) (BACnet) (All versions), APOGEE MBC (PPC) (P2 Ethernet) (All versions), APOGEE MEC (PPC) (BACnet) (All versions), APOGEE MEC (PPC) (P2 Ethernet) (All versions), APOGEE PXC Compact (BACnet) (All versions), APOGEE PXC Compact (P2 Ethernet) (All versions), APOGEE PXC Modular (BACnet) (All versions), APOGEE PXC Modular (P2 Ethernet) (All versions), Capital VSTAR (All versions), Nucleus NET (All versions), Nucleus ReadyStart V3 (All versions < V2017.02.4), Nucleus Source Code (All versions), TALON TC Compact (BACnet) (All versions), TALON TC Modular (BACnet) (All versions). The total length of an UDP payload (set in the IP header) is unchecked. This may lead to various side effects, including Information Leak and Denial-of-Service conditions, depending on a user-defined applications that runs on top of the UDP protocol. (FSMD-2021-0006)

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/08/2024

This vulnerability affects multiple industrial control systems and building automation products from various manufacturers including APOGEE, Capital, Nucleus, and TALON device lines. The flaw resides in the handling of UDP protocol payloads where the system fails to properly validate the total length field specified in the IP header. This represents a fundamental protocol implementation weakness that can be exploited across different network communication layers within these industrial environments. The vulnerability impacts both BACnet and P2 Ethernet communication protocols, which are widely used in building automation and industrial control systems. According to the FSMD-2021-0006 advisory, this issue stems from inadequate input validation mechanisms in the network stack implementation.

The technical flaw manifests when an attacker crafts malicious UDP packets with malformed payload length values in the IP header. Since the system does not perform proper bounds checking on this field, the network stack may process these packets incorrectly, leading to unpredictable behavior. This unchecked length parameter can cause memory access violations, buffer overflows, or other memory corruption conditions depending on how the receiving application handles the malformed data. The vulnerability is particularly concerning in industrial control environments where these devices often operate continuously and may be exposed to untrusted network traffic. The lack of proper validation creates opportunities for attackers to manipulate the network stack behavior in ways that can compromise system stability and data integrity.

The operational impact of this vulnerability extends beyond simple denial-of-service conditions to include potential information leakage and system instability. When the UDP payload length is improperly handled, it can result in data being read from or written to memory locations that should remain protected, leading to information disclosure. Additionally, the malformed packet processing may cause system crashes, application restarts, or other disruptive behaviors that can affect industrial operations. In building automation contexts, this could lead to HVAC system failures, lighting control issues, or other critical infrastructure problems that compromise both operational efficiency and safety. The vulnerability affects multiple product lines across different generations, indicating a systemic issue in the network protocol implementation that requires comprehensive remediation.

Security mitigations for this vulnerability should focus on implementing proper input validation at the network layer to verify UDP payload length fields against expected ranges. Network segmentation and access control measures can help reduce the attack surface by limiting exposure to untrusted networks. Device vendors should implement firmware updates that include bounds checking mechanisms for IP header fields and proper error handling for malformed packets. Monitoring systems should be configured to detect unusual network traffic patterns that might indicate exploitation attempts. This vulnerability aligns with CWE-129 Input Validation and CWE-787 Out-of-bounds Write categories from the CWE database, and represents a potential ATT&CK technique under T1071.004 Application Layer Protocol and T1499.004 Endpoint Denial of Service. Organizations should conduct thorough vulnerability assessments across their industrial control systems and implement network monitoring to detect exploitation attempts. The remediation process requires careful consideration of operational impacts since many of these devices operate in critical infrastructure environments where downtime can have significant consequences.

Reservation

04/15/2021

Disclosure

11/09/2021

Moderation

accepted

CPE

ready

EPSS

0.01578

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!