Multiple Vulnerabilities in SINAMICS Medium Voltage Products

Act Now9.8SSA-286838May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SINAMICS medium voltage drives are affected by multiple vulnerabilities in their firmware that allow remote code execution when Sm@rtServer is enabled on connected SIMATIC comfort HMI panels. The vulnerabilities involve buffer overflows, out-of-bounds access, and improper input validation (CWE-665, CWE-125, CWE-122, CWE-121, CWE-788, CWE-170, CWE-770, CWE-400, CWE-401). An unauthenticated attacker with network access to the drive could gain full control over its operation. Sm@rtServer is disabled by default but can be enabled by system integrators.

What this means

What could happen

An attacker with network access to an affected SINAMICS drive could gain full remote control of the medium voltage motor, potentially stopping critical processes like pump or compressor operation, or causing unsafe equipment behavior in manufacturing plants.

Who's at risk

Manufacturing plants using SINAMICS medium voltage drives (SM120, SM150, SM150i, GH150, GL150, GM150, SH150, SL150) for motor control, especially those that operate pumps, compressors, conveyor systems, or other critical process equipment. Any facility using these drives with SIMATIC comfort HMI panels is at risk if Sm@rtServer has been enabled.

How it could be exploited

An attacker sends network traffic to the SINAMICS drive's network interface. If Sm@rtServer is enabled on the connected HMI panel, the vulnerabilities in the drive firmware allow the attacker to bypass authentication and execute arbitrary commands with full access to the device.

Prerequisites

Network access to the SINAMICS drive (typically Ethernet on port 502 or industrial protocol ports)
Sm@rtServer feature enabled on the SIMATIC comfort HMI panel connected to the drive
Drive must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects motor control and process operations

Exploitability

Moderate exploit probability (EPSS 5.4%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

SINAMICS SM120All versionsNo fix (EOL)

SINAMICS SM150All versionsNo fix (EOL)

SINAMICS GM150 (with option X30)All versionsNo fix (EOL)

SINAMICS SH150All versionsNo fix (EOL)

SINAMICS SL150All versionsNo fix (EOL)

SINAMICS SM150iAll versionsNo fix (EOL)

SINAMICS GH150All versionsNo fix (EOL)

SINAMICS GL150 (with option X30)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable Sm@rtServer on SIMATIC comfort HMI panels unless explicitly required for operations

HARDENINGRestrict network access to SINAMICS drives using firewall rules; allow only authorized engineering and control workstations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SINAMICS SM120, SINAMICS SM150, SINAMICS GM150 (with option X30), SINAMICS SH150, SINAMICS SL150, SINAMICS SM150i, SINAMICS GH150, SINAMICS GL150 (with option X30). Apply the following compensating controls:

HARDENINGIsolate SINAMICS drives on a protected industrial network segment separate from office IT

HARDENINGMonitor for unauthorized access attempts to SINAMICS drives using network segmentation and IDS/IPS if available

CVEs (14)

CVE-2019-8259 CVE-2019-8260 CVE-2019-8261 CVE-2019-8262 CVE-2019-8263 CVE-2019-8264 CVE-2019-8265 CVE-2019-8275 CVE-2019-8277 CVE-2019-8280 CVE-2021-27383 CVE-2021-27384 CVE-2021-27385 CVE-2021-27386

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/29aa3c66-7daa-44ad-b4ad-4d58ddb337ee