Siemens VxWorks-based Industrial Products (Update C)

MonitorCVSS 5.9ICS-CERT ICSA-21-194-12Jul 13, 2021

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A heap-based buffer overflow exists in VxWorks-based Siemens SCALANCE network switches and SINAMICS PERFECT HARMONY GH180 drives due to improper memory handling. All product versions prior to firmware 4.1.4 are affected, including SCALANCE X2xx, X3xx, X4xx, XF, and XR series models. SINAMICS GH180 drives manufactured between 2015 and 2021 are vulnerable; drives manufactured in 2022 are not affected. An attacker can exploit this vulnerability by sending a malicious network packet to cause a denial of service or potentially execute arbitrary code on the device.

What this means

What could happen

A heap buffer overflow in VxWorks-based network switches and drives could allow an attacker with network access to crash the device or potentially execute code, disrupting network connectivity to critical automation equipment and causing process interruptions.

Who's at risk

Manufacturing facilities using Siemens SCALANCE industrial network switches (X2xx, X3xx, X4xx, XF and XR series) and SINAMICS PERFECT HARMONY GH180 variable frequency drives manufactured between 2015 and 2021 need to assess exposure. These switches and drives are common in automation networks for connecting PLCs, sensors, and field devices to plant control systems.

How it could be exploited

An attacker sends a specially crafted network packet to an affected SCALANCE network switch or SINAMICS drive that is reachable from the network. The malformed data overflows a heap buffer in the VxWorks operating system, potentially allowing code execution or causing the device to crash and stop responding.

Prerequisites

Network access to the affected device on the industrial network
No authentication required

remotely exploitableno authentication requiredaffects network infrastructureheap-based buffer overflowimpacts device availability

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (196)

110 with fix86 pending

ProductAffected VersionsFix Status

SINAMICS PERFECT HARMONY GH180 DrivesDrives manufactured since 2015 and prior to 2022No fix yet

RUGGEDCOM WIN5100 series subscriber unitAll versionsNo fix yet

RUGGEDCOM WIN5200 series subscriber unitAll versionsNo fix yet

SCALANCE X200-4P IRTAll versionsNo fix yet

SCALANCE X201-3P IRTAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to affected switches and drives using firewall rules, allowing only traffic from trusted engineering and control systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SINAMICS PERFECT HARMONY GH180 Drives

HOTFIXUpdate SCALANCE network switches and SINAMICS PERFECT HARMONY GH180 Drives to firmware version 4.1.4 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate critical automation equipment on separate VLANs, limiting exposure of vulnerable devices to untrusted networks

CVEs (1)

CVE-2021-29998

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4bffc3ae-7d4a-48d1-bd06-496436028ab9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.