Multiple vulnerabilities in Siemens SIMATIC SmartVNC HMI WinCC Products
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2021-25660 CVE-2021-25661 CVE-2021-25662 CVE-2021-27383 CVE-2021-27384 CVE-2021-27385 CVE-2021-27386 |
| CWE-ID | CWE-788 CWE-755 CWE-119 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SIMATIC HMI Comfort Outdoor Panels 7” & 15” Server applications / SCADA systems SIMATIC HMI Comfort Panels 4”-22” Server applications / SCADA systems SIMATIC HMI KTP400F Server applications / SCADA systems SIMATIC HMI KTP700 Server applications / SCADA systems SIMATIC HMI KTP700F Server applications / SCADA systems SIMATIC HMI KTP900 Server applications / SCADA systems SIMATIC HMI KTP900F Server applications / SCADA systems SIMATIC WinCC Runtime Advanced Server applications / SCADA systems |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Access of Memory Location After End of Buffer
EUVDB-ID: #VU53141
Risk: Medium
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25660
CWE-ID:
CWE-788 - Access of Memory Location After End of Buffer
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A remote authenticated attacker can send a specially crafted data and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Access of Memory Location After End of Buffer
EUVDB-ID: #VU53142
Risk: Medium
CVSSv4.0: 1.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25661
CWE-ID:
CWE-788 - Access of Memory Location After End of Buffer
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error. A remote authenticated attacker can send a specially crafted data and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Handling of Exceptional Conditions
EUVDB-ID: #VU53143
Risk: Medium
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25662
CWE-ID:
CWE-755 - Improper Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software fails to handle an exception properly if the program execution process is modified. A remote authenticated attacker can send a specially crafted packet and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU53144
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27383
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the server Tight encoder. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Access of Memory Location After End of Buffer
EUVDB-ID: #VU53145
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-27384
CWE-ID:
CWE-788 - Access of Memory Location After End of Buffer
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a boundary error in the device layout handler represented by a binary data stream on client side. A remote attacker can execute arbitrary code on th target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Resource exhaustion
EUVDB-ID: #VU53146
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27385
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can send specially crafted packets to a SmartVNC device layout handler on the client side, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Buffer overflow
EUVDB-ID: #VU53147
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27386
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the device layout handler on client side. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSIMATIC HMI Comfort Outdoor Panels 7” & 15”: before 16 Update 4
SIMATIC HMI Comfort Panels 4”-22”: before 16 Update 4
SIMATIC HMI KTP400F: before 16 Update 4
SIMATIC HMI KTP700: before 16 Update 4
SIMATIC HMI KTP700F: before 16 Update 4
SIMATIC HMI KTP900: before 16 Update 4
SIMATIC HMI KTP900F: before 16 Update 4
SIMATIC WinCC Runtime Advanced: before 16 Update 4
CPE2.3- cpe:2.3:a:siemens:simatic_hmi_comfort_outdoor_panels_7”_and_15”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_comfort_panels_4”-22”:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp400f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp700f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_hmi_ktp900f:*:*:*:*:*:*:*:*
- cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*
https://ics-cert.us-cert.gov/advisories/icsa-21-131-12
https://cert-portal.siemens.com/productcert/pdf/ssa-538778.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
