Siemens SIMATIC RFID

Monitor7.3ICS-CERT ICSA-21-257-11Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A heap overflow vulnerability exists in dhclient of Siemens SIMATIC RF350M and RF650M RFID readers (all versions). The vulnerability, part of the NAME:WRECK family of DHCP client flaws, allows remote code execution when a malicious DHCP response is processed by the affected devices. Siemens has not released a firmware patch and recommends implementing network protections and following industrial security operational guidelines.

What this means

What could happen

An attacker on the network could exploit a heap overflow in the DHCP client to execute arbitrary code on SIMATIC RFID reader hardware, potentially disrupting RFID inventory tracking, asset identification, or supply chain automation operations.

Who's at risk

Organizations operating Siemens SIMATIC RF350M or RF650M RFID readers in manufacturing, warehousing, logistics, or retail inventory systems should assess their network exposure. These devices are typically deployed in automated material handling, supply chain tracking, or asset identification roles where loss of operation or unauthorized code execution could disrupt production or inventory visibility.

How it could be exploited

An attacker sends a malicious DHCP response to the RFID reader during network boot or configuration. The heap overflow in dhclient processes the response and allows the attacker to execute arbitrary commands on the device. This requires the reader to be configured to use DHCP or to accept DHCP traffic on the network segment where the attacker is present.

Prerequisites

Network access to the RFID reader on the same broadcast domain or via DHCP relay
DHCP client enabled on the affected device (typical default configuration)

remotely exploitableno authentication requiredlow complexityno patch availableheap overflow in critical network service

Exploitability

Moderate exploit probability (EPSS 9.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC RF350MAll versionsNo fix (EOL)

SIMATIC RF650MAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict DHCP traffic to trusted infrastructure only; isolate RFID readers on a separate VLAN with DHCP relay only from authorized servers

HARDENINGDeploy DHCP snooping and Dynamic ARP Inspection on network switches to prevent unauthorized DHCP servers and rogue DHCP responses

WORKAROUNDConfigure RFID readers with static IP addresses instead of DHCP if operationally feasible

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor RFID reader logs and network traffic for signs of DHCP spoofing or unexpected network configuration changes

CVEs (1)

CVE-2020-7461

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/423ab2c7-3512-4950-9f28-be4e90a72156