Out-of-Bounds Memory Access in SIMATIC HMI and SINAMICS Products by Siemens
CVE-2021-27384

9.8CRITICAL

Key Information:

Vendor
Siemens
Status
Simatic Hmi Comfort Outdoor Panels V15 7\" & 15\" (incl. Siplus Variants)
Simatic Hmi Comfort Outdoor Panels V16 7\" & 15\" (incl. Siplus Variants)
Simatic Hmi Comfort Panels V15 4\" - 22\" (incl. Siplus Variants)
Simatic Hmi Comfort Panels V16 4\" - 22\" (incl. Siplus Variants)
Vendor
CVE Published:
12 May 2021

Summary

A vulnerability has been discovered in several Siemens SIMATIC HMI and SINAMICS products, where an out-of-bounds memory access in the SmartVNC device layout handler can expose systems to potential code execution attacks. This flaw affects various models of HMI comfort panels and mobile panels across multiple versions, putting sensitive operational data at risk. It is crucial for users to update to the latest versions to mitigate potential exploitation.

Affected Version(s)

SIMATIC HMI Comfort Outdoor Panels V15 7\" & 15\" (incl. SIPLUS variants) All versions < V15.1 Update 6

SIMATIC HMI Comfort Outdoor Panels V16 7\" & 15\" (incl. SIPLUS variants) All versions < V16 Update 4

SIMATIC HMI Comfort Panels V15 4\" - 22\" (incl. SIPLUS variants) All versions < V15.1 Update 6

References

https://cert-portal.siemens.com/productcert/pdf/ssa-53877...
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-28683...
x_refsource_MISC
https://us-cert.cisa.gov/ics/advisories/icsa-21-131-11
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.