CVE-2021-27384

Vulnerability

A out-of-bounds memory access vulnerability exists in the device layout handler of SmartVNC, where the client processes a binary data stream. The affected products include SIMATIC HMI Comfort Outdoor Panels V15 and V16 (7" & 15", including SIPLUS variants) with all versions prior to V15.1 Update 6 or V16 Update 4, SIMATIC HMI Comfort Panels V15 and V16 (4" - 22", including SIPLUS variants) with all versions prior to V15.1 Update 6 or V16 Update 4, SIMATIC HMI KTP Mobile Panels V15 and V16 (KTP400F, KTP700, KTP700F, KTP900, KTP900F) with all versions prior to V15.1 Update 6 or V16 Update 4, SIMATIC WinCC Runtime Advanced V15 and V16 with all versions prior to V15.1 Update 6 or V16 Update 4, and multiple SINAMICS medium-voltage drives (GH150, GL150, GM150, SH150, SL150, SM120, SM150, SM150i) in all versions [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring authentication or user interaction [1]. The attacker sends a crafted binary data stream to the SmartVNC client, triggering an out-of-bounds memory access in the device layout handler. The low attack complexity means no special conditions or privileges are necessary [1].

Impact

Successful exploitation could allow the attacker to execute arbitrary code with the privileges of the affected application, potentially leading to a full system compromise [1]. This includes consequences such as remote code execution, information disclosure, and denial-of-service conditions [1].

Mitigation

Siemens has released updates for the affected SIMATIC HMI and WinCC products: V15.1 Update 6 for V15 products and V16 Update 4 for V16 products [1]. As of the advisory publication date (May 12, 2021), no fixes were available for the SINAMICS medium-voltage drives, and users were advised to apply defense-in-depth measures and restrict network access [1].