Siemens Climatix (Update A)

CVEs (2)

Remediations

• Update Climatix POL908 and POL909 to V11.22 or later version. These versions disable the web interface by default, as it is no longer needed in standard use cases.
• Climatix POL908 is designed to be operated in protected BACnet/IP networks only. Do not connect it to other networks, such as an Office LAN or the Internet. Also consider to remove POL908, in case the integrated BACnet/IP implementation in newer versions of Climatix 600 controllers is already sufficient for your environment. The remaining mitigation measures apply only, if the web interface is activated (e.g.'via the Climatix SCOPE tool):
• Climatix POL909: When configuring your custom web application, disable the access to the default web pages provided by POL909
• Enforce authentication for the web interface, and change the default password of the standard ADMIN user
• Disable JavaScript within the web browser used to access the web server of Climatix POL908
• Utilize a modern web browser with integrated XSS filtering mechanisms
• Update to V11.32

Affected Vendors

Affected Products (2)

Affected Sectors

Multiple