Siemens has updates available to handle multiple vulnerabilities in its SIMATIC HMIs/WinCC products, according to a report with CISA.

Vulnerabilities include access of memory location after end of buffer, improper handling of exceptional conditions, improper restriction of operations within the bounds of a memory buffer, and uncontrolled resource consumption.

The following Siemens SIMATIC HMIs/WinCC products suffer from the issue:

  • SIMATIC HMI Comfort Outdoor Panels 7’ and 15’ (incl. SIPLUS variants): All versions prior to v16 Update 4
  • SIMATIC HMI Comfort Panels 4’-22’ (incl. SIPLUS variants): All versions prior to v16 Update 4
  • SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, KTP900F: All versions prior to v16 Update 4
  • SIMATIC WinCC Runtime Advanced: All versions prior to v16 Update 4

Successful exploitation of these remotely exploitable vulnerabilities, which Siemens self-reported, could allow remote code execution, information disclosure and denial of service attacks under certain conditions.

Schneider Bold

In one issue, SmartVNC has an out-of-bounds memory access vulnerability that could be triggered on the server side when sending data from the client, which could result in a denial-of-service condition.

CVE-2021-25660 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.4.

In addition, SmartVNC has an out-of-bounds memory access vulnerability that could be triggered on the client side when sending data from the server, which could result in a denial-of-service condition.

CVE-2021-25661 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.

Also, SmartVNC client fails to handle an exception properly if the program execution process is modified after sending a packet from the server, which could result in a denial-of-service condition.

CVE-2021-25662 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.

In another issue, SmartVNC has a heap allocation leak vulnerability in the server Tight encoder, which could result in a denial-of-service condition.

CVE-2021-27383 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, SmartVNC has an out-of-bounds memory access vulnerability in the device layout handler represented by a binary data stream on client side, which could result in code execution.

CVE-2021-27384 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

Also, a remote attacker could send specially crafted packets to a SmartVNC device layout handler on the client side, which could influence the number of resources consumed and result in a denial-of-service condition (infinite loop).

CVE-2021-27385 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In another issue, SmartVNC has a heap allocation leak vulnerability in the device layout handler on client side, which could result in a denial-of-service condition.

CVE-2021-27386 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use in multiple industry sectors, and on a global basis.

Siemens recommends applying updates where available:

Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk: Restrict access to Port 5900/TCP to trusted IP addresses only

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens operational guidelines for industrial security and following the recommendations in the product manuals.

For additional information, click on Siemens Security Advisory SSA-538778.

ISSSource

Pin It on Pinterest

Share This