LibVNC Vulnerabilities in SIMATIC ITC Products

Act Now9.8SSA-390195Dec 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple buffer overflow and memory corruption vulnerabilities exist in the LibVNC library used by SIMATIC ITC products. These vulnerabilities allow remote code execution, information disclosure, and denial-of-service attacks without authentication. The vulnerabilities stem from improper input validation and bounds checking in VNC packet handling (CWE-787, CWE-120, CWE-119, CWE-190 and related). SIMATIC ITC1500, ITC1900, and ITC2200 series devices (V3 and PRO variants) are affected in all versions prior to 3.2.1.0.

What this means

What could happen

An attacker with network access to a SIMATIC ITC device could execute arbitrary code, read sensitive data, or crash the system without authentication. This could allow an attacker to alter industrial process configurations, access engineering credentials, or interrupt operations.

Who's at risk

Industrial facilities using Siemens SIMATIC ITC panels (ITC1500, ITC1900, ITC2200 series, including PRO variants) for HMI and process visualization should prioritize this update. These devices are typically used in manufacturing, water utilities, power generation, and other continuous process environments where unauthorized code execution could impact safety and operational continuity.

How it could be exploited

An attacker sends a crafted network packet to the VNC service running on the SIMATIC ITC device. The LibVNC library fails to properly validate input, allowing buffer overflow or other memory corruption. The attacker gains code execution with the privileges of the VNC service. The device typically manages HMI or industrial process visualization, so compromised code execution could modify process setpoints or access sensitive system data.

Prerequisites

Network access to the VNC port on the SIMATIC ITC device (typically port 5900)
Device running SIMATIC ITC firmware version 3.2.0.x or earlier
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (16.8%)Affects HMI/visualization systemsCritical CVSS score (9.8)

Exploitability

High exploit probability (EPSS 16.8%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SIMATIC ITC1500 V3< V3.2.1.03.2.1.0

SIMATIC ITC1500 V3 PRO< V3.2.1.03.2.1.0

SIMATIC ITC1900 V3< V3.2.1.03.2.1.0

SIMATIC ITC1900 V3 PRO< V3.2.1.03.2.1.0

SIMATIC ITC2200 V3< V3.2.1.03.2.1.0

SIMATIC ITC2200 V3 PRO< V3.2.1.03.2.1.0

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the VNC port (port 5900) using firewall rules or network segmentation—allow connections only from authorized engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC ITC firmware to version 3.2.1.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate SIMATIC ITC devices from untrusted networks

CVEs (19)

CVE-2017-18922 CVE-2018-20019 CVE-2018-20748 CVE-2018-20749 CVE-2018-20750 CVE-2018-21247 CVE-2019-15681 CVE-2019-15690 CVE-2019-20788 CVE-2019-20839 CVE-2019-20840 CVE-2020-14396 CVE-2020-14397 CVE-2020-14398 CVE-2020-14401 CVE-2020-14402 CVE-2020-14403 CVE-2020-14404 CVE-2020-14405

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cc5aecc9-0004-4fda-9ab3-b5a8178090dd