Siemens SIMATIC ITC

Act Now9.8ICS-CERT ICSA-21-350-12Dec 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in LibVNC used by Siemens SIMATIC ITC devices could allow remote code execution, information disclosure, and denial-of-service attacks. The affected products are SIMATIC ITC1500, ITC1500 PRO, ITC1900, ITC1900 PRO, ITC2200, and ITC2200 PRO versions prior to V3.2.1.0. The vulnerabilities allow an attacker with network access to port 5900/TCP to exploit buffer overflow and memory corruption issues without requiring authentication.

What this means

What could happen

An attacker with network access to the VNC service could run arbitrary commands on the ITC device, potentially altering HMI settings, process parameters, or stopping critical operations. This could compromise the remote monitoring and control capabilities of your industrial process.

Who's at risk

This affects organizations using Siemens SIMATIC ITC devices for industrial HMI and remote monitoring, including water authorities and utilities. The ITC1500, ITC1900, and ITC2200 series are commonly used for tank level monitoring, pump control, and process visualization in water and wastewater treatment plants, and in electrical substations and distribution control.

How it could be exploited

An attacker with network access to port 5900/TCP (VNC service) could send a specially crafted VNC protocol message to trigger a buffer overflow or memory corruption vulnerability in LibVNC, allowing them to execute code on the device without authentication.

Prerequisites

Network access to port 5900/TCP (VNC service)
No credentials required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (16.8%)affects remote monitoring/control capability

Exploitability

High exploit probability (EPSS 16.8%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC ITC1500 V3<V3.2.1.03.2.1.0

SIMATIC ITC1500 V3 PRO<V3.2.1.03.2.1.0

SIMATIC ITC1900 V3<V3.2.1.03.2.1.0

SIMATIC ITC1900 V3 PRO<V3.2.1.03.2.1.0

SIMATIC ITC2200 V3<V3.2.1.03.2.1.0

SIMATIC ITC2200 V3 PRO<V3.2.1.03.2.1.0

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to port 5900/TCP to trusted engineering and monitoring workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SIMATIC ITC devices to firmware version 3.2.1.0 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate ITC devices from the business network and prevent direct Internet access

HARDENINGDeploy VPN for remote access to ITC devices rather than allowing direct port exposure

CVEs (19)

CVE-2017-18922 CVE-2018-20019 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2018-21247 CVE-2019-15681 CVE-2019-15690 CVE-2019-20788 CVE-2019-20839 CVE-2019-20840 CVE-2020-14396 CVE-2020-14397 CVE-2020-14398 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bc09c36d-af90-49d1-aab1-51b37407a979