OTPulse
FeedAboutContact

Heap Overflow Vulnerability in RFID terminals

Monitor7.3SSA-288459Sep 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A heap overflow vulnerability exists in the dhclient component of Siemens SIMATIC RF350M and RF650M RFID terminals. This vulnerability, part of the NAME:WRECK disclosure, could allow remote code execution when an affected terminal receives a malformed DHCP response. The vulnerability affects all versions of both products, and no vendor patch is currently available.

What this means
What could happen
An attacker could exploit a heap overflow in the DHCP client to run arbitrary code on affected RFID terminals, potentially disrupting identification and tracking operations or gaining access to connected systems.
Who's at risk
Facilities using Siemens SIMATIC RF350M or RF650M RFID terminals for asset tracking, inventory management, or supply chain operations. This includes manufacturing plants, warehouses, and logistics centers that depend on reliable RFID identification.
How it could be exploited
An attacker with network access to the affected terminal sends a malformed DHCP response containing a crafted heap overflow payload. The dhclient process parses the response without proper bounds checking, allowing code execution with the privileges of the DHCP client service.
Prerequisites
  • Network access to the terminal's DHCP port (UDP 68)
  • Terminal must initiate or be in DHCP client mode
  • No authentication required
remotely exploitableno authentication requiredlow complexityno patch availablehigh EPSS score (9.1%)
Exploitability
Moderate exploit probability (EPSS 9.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SIMATIC RF350MAll versionsNo fix (EOL)
SIMATIC RF650MAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDeploy firewall rules to restrict network access to the terminals; only allow communication from authorized DHCP servers and management stations
WORKAROUNDConfigure terminals to use static IP addresses instead of DHCP where feasible to eliminate DHCP client exposure
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: SIMATIC RF350M, SIMATIC RF650M. Apply the following compensating controls:
HARDENINGSegment RFID terminals onto isolated networks or VLANs to limit attacker network reach
HARDENINGMonitor DHCP traffic for suspicious or malformed responses targeting the terminals
HARDENINGMonitor Siemens security advisories for future patches; contact Siemens support to determine if firmware updates become available
View full Siemens ProductCERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/e5aa5b5d-53de-4295-8bda-67cd730f6c50
Heap Overflow Vulnerability in RFID terminals | CVSS 7.3 - OTPulse