Siemens, a leading provider of fire safety solutions, has issued a critical security advisory warning of severe vulnerabilities in its Cerberus PRO UL and Desigo Fire Safety UL systems. These vulnerabilities could potentially allow unauthorized access to fire protection networks, putting lives and property at risk.
Buffer Overflow Vulnerabilities Expose Systems to Attack
The identified vulnerabilities, tracked as CVE-2024-22039, CVE-2024-22040, and CVE-2024-22041, reside within the network communication stack of the affected systems. Exploitation of these vulnerabilities could lead to catastrophic consequences:
- CVE-2024-22039 (CVSS 10): This critical flaw could enable an attacker to execute arbitrary code on the affected device with root privileges, potentially allowing for complete system takeover.
- CVE-2024-22040 & CVE-2024-22041 (CVSS 7.5): These vulnerabilities could cause a denial-of-service (DoS) condition, rendering the fire protection system unresponsive and unable to function during an emergency.
Affected Products and Urgent Action Required
The following products are affected by these vulnerabilities:
- Cerberus PRO UL Compact Panel FC922/924
- Cerberus PRO UL Engineering Tool
- Cerberus PRO UL X300 Cloud Distribution
- Desigo Fire Safety UL Compact Panel FC2025/2050
- Desigo Fire Safety UL Engineering Tool
- Desigo Fire Safety UL X300 Cloud Distribution
Siemens has released updated versions of these products to address the vulnerabilities. Users are strongly advised to immediately update their systems to the latest versions to mitigate the risk of compromise.
The Importance of Fire Safety System Security
Fire protection systems are critical components of building safety, designed to detect and suppress fires, alert occupants, and facilitate safe evacuation. Any compromise of these systems could have devastating consequences, including loss of life and significant property damage.