Siemens SIMATIC SmartVNC HMI WinCC Products (Update B)
Act Now9.8ICS-CERT ICSA-21-131-12May 11, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple SmartVNC protocol vulnerabilities in Siemens SIMATIC HMI panels and WinCC Runtime Advanced software could allow remote code execution and denial-of-service attacks. The vulnerabilities exist in the SmartVNC implementation used by SIMATIC HMI Comfort Outdoor Panels V15 and V16, SIMATIC HMI Comfort Panels V15 and V16, SIMATIC HMI KTP Mobile Panels V15 and V16, and SIMATIC WinCC Runtime Advanced V15 and V16. Affected products are those running firmware/software versions prior to V15.1 Update 6 and V16 Update 4 respectively. The vulnerabilities allow an attacker to send a specially crafted SmartVNC protocol message on port 5900/TCP to trigger buffer overflows and memory safety violations resulting in arbitrary code execution or service disruption.
What this means
What could happen
An attacker could run arbitrary code on affected HMI panels and WinCC Runtime systems, allowing them to alter production parameters, modify alarms, or stop the human-machine interface entirely. This could disrupt visibility into manufacturing processes and enable modification of setpoints or process commands.
Who's at risk
Manufacturing facilities using Siemens SIMATIC HMI panels (Comfort, Comfort Outdoor, or KTP Mobile series V15/V16) or WinCC Runtime Advanced for visualization and control of production equipment. This includes plants in automotive, chemical processing, food and beverage, and discrete manufacturing that rely on these HMI systems to monitor and control PLC-based processes.
How it could be exploited
An attacker with network access to port 5900/TCP on an affected HMI panel or WinCC Runtime system can send a crafted SmartVNC protocol message to trigger a buffer overflow or memory safety flaw. This results in remote code execution or denial of service without requiring authentication or user interaction.
Prerequisites
- Network access to port 5900/TCP (SmartVNC protocol)
- Device must be running affected firmware version (unpatched HMI panel or WinCC Runtime)
- No authentication required
Remotely exploitable via port 5900/TCPNo authentication requiredCritical CVSS 9.8 scoreMultiple memory safety vulnerabilities (buffer overflow, dangling pointer)Affects human-machine interface visibility into operations
Exploitability
Moderate exploit probability (EPSS 1.4%)
Affected products (8)
3 with fix4 pending1 EOL
ProductAffected VersionsFix Status
SIMATIC HMI Comfort Panels V15 4" - 22" (incl. SIPLUS variants)<V15.1 Update 6No fix yet
SIMATIC HMI Comfort Panels V16 4" - 22" (incl. SIPLUS variants)<V16 Update 4No fix yet
SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900F<V15.1 Update 6No fix yet
SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900F<V16 Update 4No fix yet
SIMATIC HMI Comfort Outdoor Panels V15 7" & 15" (incl. SIPLUS variants)<V15.1 Update 6No fix (EOL)
SIMATIC HMI Comfort Outdoor Panels V16 7" & 15" (incl. SIPLUS variants)<V16 Update 4V16 Update 4
SIMATIC WinCC Runtime Advanced V15<V15.1 Update 615.1 Update 6
SIMATIC WinCC Runtime Advanced V16<V16 Update 416 Update 4
Remediation & Mitigation
0/10
Do now
0/1WORKAROUNDRestrict network access to port 5900/TCP to trusted engineering workstations and control network IPs only using firewall rules
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC WinCC Runtime Advanced V15
HOTFIXUpdate SIMATIC WinCC Runtime Advanced V15 to version 15.1 Update 6 or later
SIMATIC WinCC Runtime Advanced V16
HOTFIXUpdate SIMATIC WinCC Runtime Advanced V16 to version 16 Update 4 or later
All products
HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels V15 (7" and 15") to firmware V15.1 Update 6 or later
HOTFIXUpdate SIMATIC HMI Comfort Panels V15 (4"-22") to firmware V15.1 Update 6 or later
HOTFIXUpdate SIMATIC HMI KTP Mobile Panels V15 to firmware V15.1 Update 6 or later
HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels V16 (7" and 15") to firmware V16 Update 4 or later
HOTFIXUpdate SIMATIC HMI Comfort Panels V16 (4"-22") to firmware V16 Update 4 or later
HOTFIXUpdate SIMATIC HMI KTP Mobile Panels V16 to firmware V16 Update 4 or later
Mitigations - no patch available
0/1SIMATIC HMI Comfort Outdoor Panels V15 7" & 15" (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate HMI panels and WinCC Runtime systems from the business network and Internet-facing segments
CVEs (7)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/29ce8bca-2e9f-490b-872c-b13d6ded2691