CVE-2021-27391

Name of the Vulnerable Software and Affected Versions APOGEE MBC (PPC) (P2 Ethernet) versions V2.6.3 and later APOGEE MEC (PPC) (P2 Ethernet) versions V2.6.3 and later APOGEE PXC Compact (BACnet) versions prior to V3.5.3 APOGEE PXC Compact (P2 Ethernet) versions V2.8 and later APOGEE PXC Modular (BACnet) versions prior to V3.5.3 APOGEE PXC Modular (P2 Ethernet) versions V2.8 and later TALON TC Compact (BACnet) versions prior to V3.5.3 TALON TC Modular (BACnet) versions prior to V3.5.3

Description The web server of affected devices lacks proper bounds checking when parsing the Host parameter in HTTP requests, which could lead to a buffer overflow. An unauthenticated remote attacker could exploit this issue to execute arbitrary code on the device with root privileges.

Recommendations For APOGEE MBC (PPC) (P2 Ethernet) versions V2.6.3 and later, update to a version that includes the fix for this issue. For APOGEE MEC (PPC) (P2 Ethernet) versions V2.6.3 and later, update to a version that includes the fix for this issue. For APOGEE PXC Compact (BACnet) versions prior to V3.5.3, update to version V3.5.3 or later. For APOGEE PXC Compact (P2 Ethernet) versions V2.8 and later, update to a version that includes the fix for this issue. For APOGEE PXC Modular (BACnet) versions prior to V3.5.3, update to version V3.5.3 or later. For APOGEE PXC Modular (P2 Ethernet) versions V2.8 and later, update to a version that includes the fix for this issue. For TALON TC Compact (BACnet) versions prior to V3.5.3, update to version V3.5.3 or later. For TALON TC Modular (BACnet) versions prior to V3.5.3, update to version V3.5.3 or later. As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.