CVE-2021-25661

Vulnerability

SmartVNC contains an out-of-bounds memory access vulnerability (CWE-788) that can be triggered when the server sends data to the client [1]. The affected products include SIMATIC HMI Comfort Outdoor Panels V15 and V16 (including SIPLUS variants), SIMATIC HMI Comfort Panels V15 and V16 (including SIPLUS variants), SIMATIC HMI KTP Mobile Panels V15 and V16, and SIMATIC WinCC Runtime Advanced V15 and V16. The vulnerable versions are all releases prior to V15.1 Update 6 for V15 series and all releases prior to V16 Update 4 for V16 series.

Exploitation

The vulnerability is remotely exploitable over the network without authentication and does not require user interaction [1]. An attacker can send crafted data from the SmartVNC server to the client, triggering an out-of-bounds memory access on the client side. The exact sequence of steps is not detailed in the available references, but the attack vector is network-based, targeting the SmartVNC protocol [1].

Impact

Successful exploitation results in a denial-of-service (DoS) condition on the affected device [1]. The CVSS v3 base score is 9.8 (Critical), indicating high impact on availability, confidentiality, and integrity under certain conditions, though the described vulnerability itself is limited to DoS [1].

Mitigation

Siemens has released updates to address the vulnerability: V15.1 Update 6 for V15 series and V16 Update 4 for V16 series [1]. Users should apply the updates to all affected products. The advisory was originally published February 9, 2021, and updated May 11, 2021, with no workarounds mentioned in the available references [1]. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.