CVE-2021-31886

Name of the Vulnerable Software and Affected Versions APOGEE MBC (PPC) (BACnet) versions All APOGEE MBC (PPC) (P2 Ethernet) versions All APOGEE MEC (PPC) (BACnet) versions All APOGEE MEC (PPC) (P2 Ethernet) versions All APOGEE PXC Compact (BACnet) versions prior to V3.5.4 APOGEE PXC Compact (P2 Ethernet) versions prior to V2.8.19 APOGEE PXC Modular (BACnet) versions prior to V3.5.4 APOGEE PXC Modular (P2 Ethernet) versions prior to V2.8.19 Desigo PXC00-E.D versions V2.3 through V6.30.015 Desigo PXC00-U versions V2.3 through V6.30.015 Desigo PXC001-E.D versions V2.3 through V6.30.015 Desigo PXC100-E.D versions V2.3 through V6.30.015 Desigo PXC12-E.D versions V2.3 through V6.30.015 Desigo PXC128-U versions V2.3 through V6.30.015 Desigo PXC200-E.D versions V2.3 through V6.30.015 Desigo PXC22-E.D versions V2.3 through V6.30.015 Desigo PXC22.1-E.D versions V2.3 through V6.30.015 Desigo PXC36.1-E.D versions V2.3 through V6.30.015 Desigo PXC50-E.D versions V2.3 through V6.30.015 Desigo PXC64-U versions V2.3 through V6.30.015 Desigo PXM20-E versions V2.3 through V6.30.015 Nucleus NET versions All Nucleus ReadyStart V3 versions prior to V2017.02.4 Nucleus Source Code versions All TALON TC Compact (BACnet) versions prior to V3.5.4 TALON TC Modular (BACnet) versions prior to V3.5.4

Description The FTP server does not properly validate the length of the USER command, leading to stack-based buffer overflows. This may result in Denial-of-Service conditions and Remote Code Execution. An attacker could exploit this issue to cause a denial of service or execute arbitrary code remotely.

Recommendations As a temporary workaround, consider disabling the FTP server until a patch is available. Restrict access to the FTP server to minimize the risk of exploitation. Avoid using the USER command in the affected FTP server until the issue is resolved. Update APOGEE PXC Compact (BACnet) to version V3.5.4 or later. Update APOGEE PXC Compact (P2 Ethernet) to version V2.8.19 or later. Update APOGEE PXC Modular (BACnet) to version V3.5.4 or later. Update APOGEE PXC Modular (P2 Ethernet) to version V2.8.19 or later. Update Desigo PXC00-E.D to version V6.30.016 or later. Update Desigo PXC00-U to version V6.30.016 or later. Update Desigo PXC001-E.D to version V6.30.016 or later. Update Desigo PXC100-E.D to version V6.30.016 or later. Update Desigo PXC12-E.D to version V6.30.016 or later. Update Desigo PXC128-U to version V6.30.016 or later. Update Desigo PXC200-E.D to version V6.30.016 or later. Update Desigo PXC22-E.D to version V6.30.016 or later. Update Desigo PXC22.1-E.D to version V6.30.016 or later. Update Desigo PXC36.1-E.D to version V6.30.016 or later. Update Desigo PXC50-E.D to version V6.30.016 or later. Update Desigo PXC64-U to version V6.30.016 or later. Update Desigo PXM20-E to version V6.30.016 or later. Update Nucleus ReadyStart V3 to version V2017.02.4 or later. At the moment, there is no information about a newer version that contains a fix for Nucleus NET, Nucleus Source Code, APOGEE MBC (PPC) (BACnet), APOGEE MBC (PPC) (P2 Ethernet), APOGEE MEC (PPC) (BACnet), APOGEE MEC (PPC) (P2 Ethernet), TALON TC Compact (BACnet), TALON TC Modular (BACnet).