Siemens SIMATIC, SIMOTICS (Update A)
Low Risk3.1ICS-CERT ICSA-20-224-05Aug 11, 2020
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
This vulnerability exists in the Wi-Fi credential handling of Siemens SIMATIC RF350M and RF650M RFID readers, and in SIMOTICS CONNECT 400 variable frequency drives. A race condition (CWE-367) in the authentication mechanism allows an attacker on the local network to read sensitive configuration or credential data via the Wi-Fi interface. The RF models cannot be patched and are end-of-life; the CONNECT 400 has a firmware fix available. No known public exploits exist.
What this means
What could happen
An attacker on the local network could read sensitive data from the Wi-Fi interface of SIMATIC RF350M or RF650M RFID readers, though the impact is limited to information disclosure without affecting device control or operations.
Who's at risk
Water utilities and electrical utilities using Siemens SIMATIC RF350M or RF650M RFID readers for material tracking, warehouse management, or process monitoring should assess whether Wi-Fi is in use. SIMOTICS CONNECT 400 variable frequency drives used in pump or motor control systems are also affected. Impact is primarily on wireless-connected RFID infrastructure.
How it could be exploited
An attacker within wireless range would need to connect to the unencrypted or weakly encrypted Wi-Fi interface (CWE-367 indicates time-of-check-time-of-use race condition in credential handling). They could then intercept or replay credentials or configuration data. This requires proximity to the device and does not allow remote control of RFID operations.
Prerequisites
- Physical or wireless proximity to the device (same local network or Wi-Fi range)
- No credentials required for initial wireless connection
- Wi-Fi interface must be enabled on the target device
Local network access required (not remotely exploitable)Low complexity attackNo authentication needed for wireless accessNo patch available for RF350M and RF650M
Exploitability
Moderate exploit probability (EPSS 8.4%)
Affected products (3)
1 with fix2 EOL
ProductAffected VersionsFix Status
SIMOTICS CONNECT 400: All<V0.4.0.220.4.0.22
SIMATIC RF350M: All versionsAll versionsNo fix (EOL)
SIMATIC RF650M: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
WORKAROUNDDisable Wi-Fi on SIMATIC RF350M and RF650M if not required for operations
HOTFIXUpdate SIMOTICS CONNECT 400 to firmware version 0.4.0.22 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC RF350M: All versions, SIMATIC RF650M: All versions. Apply the following compensating controls:
HARDENINGImplement network segmentation and access controls to restrict wireless access to RFID reader interfaces
HARDENINGEnable Wi-Fi encryption and strong authentication on RFID devices if wireless connectivity is required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1d1958f2-52e6-4c9a-9f80-1aea3d66043f