CVE-2021-25662

Vulnerability

The vulnerability resides in the SmartVNC client component of Siemens SIMATIC HMI Comfort Outdoor Panels V15 and V16, SIMATIC HMI Comfort Panels V15 and V16, SIMATIC HMI KTP Mobile Panels V15 and V16, and SIMATIC WinCC Runtime Advanced V15 and V16 (including SIPLUS variants). All versions prior to V15.1 Update 6 (for V15) and V16 Update 4 (for V16) are affected. The client fails to properly handle an exception when the program execution process is modified after receiving a packet from the server, leading to an out-of-bounds memory access [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted packet to the SmartVNC server. No user interaction or special privileges are required. The attack is network-based and can be carried out without prior authentication, as indicated by the CVSS v3 score of 9.8 [1]. The exact sequence involves the attacker sending a malicious packet that triggers the improper exception handling in the client, causing the denial-of-service condition.

Impact

Successful exploitation results in a denial-of-service (DoS) condition on the affected HMI panel or WinCC Runtime Advanced system. The device may become unresponsive or crash, disrupting the human-machine interface and potentially halting industrial processes. The vulnerability does not lead to code execution or information disclosure for this specific CVE, though other related CVEs in the same advisory may have different impacts [1].

Mitigation

Siemens has released updates to address this vulnerability: V15.1 Update 6 for V15 products and V16 Update 4 for V16 products. Users should apply these updates as soon as possible. No workarounds are documented. The CISA advisory (ICSA-21-131-12) provides further details and recommends upgrading to the fixed versions [1]. If immediate patching is not possible, restrict network access to the affected devices as a compensating control.