Authentication Vulnerabilities in SIMATIC HMI Products

Monitor6.5SSA-542525Sep 8, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC HMI Products contain authentication weaknesses (CWE-307, CWE-305) that allow remote attackers to discover user passwords and gain unauthorized access to the Sm@rt Server via brute-force attacks. The vulnerability affects Basic Panels 2nd Generation, Comfort Panels, Mobile Panels, and Unified Comfort Panels running V16 and earlier versions. An attacker on the network can exploit insufficient login attempt limits to enumerate credentials without proper rate limiting or account lockout controls.

What this means

What could happen

An attacker could discover user credentials and gain unauthorized access to the Sm@rt Server by brute-forcing weak authentication, potentially allowing them to modify HMI graphics, process setpoints, or interrupt operator access to control interfaces.

Who's at risk

Manufacturing facilities using Siemens SIMATIC HMI panels (Basic Panels 2nd Gen, Comfort Panels, Mobile Panels, and Unified Comfort Panels) for operator control and monitoring of production processes. This affects any plant relying on these touchscreen interfaces to control PLCs and process equipment.

How it could be exploited

An attacker on the network sends multiple authentication attempts to the HMI panel. Because the authentication mechanism does not properly limit failed login attempts, the attacker can brute-force credentials to gain access to the Sm@rt Server and HMI interface.

Prerequisites

Network access to the SIMATIC HMI panel over Ethernet
No valid credentials required to begin brute-force attack

remotely exploitableno authentication required to initiate attacklow complexityaffects operator interface and control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC HMI Basic Panels 2nd Generation (incl. SIPLUS variants)< V1616 Update 3

SIMATIC HMI Comfort Panels (incl. SIPLUS variants)≤ V1616 Update 3

SIMATIC HMI Mobile Panels≤ V1616 Update 3

SIMATIC HMI Unified Comfort Panels≤ V1616 Update 5

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to HMI panels using firewall rules to allow only engineering and operator workstations

HARDENINGEnforce strong passwords (minimum 8 characters, complexity requirements) for all HMI user accounts

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC HMI Mobile Panels

HOTFIXUpdate SIMATIC HMI Mobile Panels to V16 Update 3 or later

SIMATIC HMI Unified Comfort Panels

HOTFIXUpdate SIMATIC HMI Unified Comfort Panels to V16 Update 5 or later

All products

HOTFIXUpdate SIMATIC HMI Basic Panels 2nd Generation to V16 Update 3 or later

HOTFIXUpdate SIMATIC HMI Comfort Panels to V16 Update 3 or later

CVEs (2)

CVE-2020-15786 CVE-2020-15787

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a1c332a8-ccde-40e9-bbe5-548367fd06f8