DHCP Client Vulnerability in VxWorks-based Industrial Products

Act Now9.8SSA-560465Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow exists in the DHCP client implementation used by VxWorks-based Siemens industrial devices. An attacker can exploit this by sending a specially crafted DHCP response during device boot or renewal cycles. Affected products include RUGGEDCOM subscriber units, SCALANCE industrial switches across multiple product lines, and SIMATIC RFID readers. The vulnerability requires network access but no authentication. Siemens has stated that updates are available or being developed for some products; however, many product variants currently have no patch available.

What this means

What could happen

An attacker who can reach your network switches or RFID readers via DHCP could trigger a memory overflow that crashes the device or allows remote code execution, potentially disrupting plant communications or material handling operations.

Who's at risk

Network switching and industrial RFID infrastructure in manufacturing plants using Siemens RUGGEDCOM, SCALANCE, or SIMATIC devices. Operations managers should prioritize SCALANCE switches (the bulk of affected products) that handle critical plant network traffic and SIMATIC RFID readers involved in material tracking or automation triggering.

How it could be exploited

An attacker on the same network segment sends a malicious DHCP response to a VxWorks device during its boot or DHCP renewal cycle. The oversized payload overflows the DHCP client's memory buffer, allowing code injection. No valid credentials are needed; the attacker just needs network visibility to the device's DHCP traffic.

Prerequisites

Network access to the same DHCP broadcast domain (Layer 2) or routed path to DHCP server
Device must be configured to use DHCP (typical default)
No authentication required

Remotely exploitable from networkNo authentication requiredLow attack complexityNo fix currently available for affected productsAffects industrial network infrastructure

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (85)

85 pending

ProductAffected VersionsFix Status

RUGGEDCOM WIN5100 series subscriber unitAll versionsNo fix yet

RUGGEDCOM WIN5200 series subscriber unitAll versionsNo fix yet

SCALANCE X200-4P IRTAll versionsNo fix yet

SCALANCE X201-3P IRTAll versionsNo fix yet

SCALANCE X201-3P IRT PROAll versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDConfigure static IP addressing on affected network devices where feasible, disabling DHCP client if operational requirements allow

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor for vendor firmware updates and apply immediately when available, as Siemens indicated updates are being developed for affected products

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate DHCP traffic from untrusted sources; use DHCP snooping on managed switches to validate DHCP server identity

CVEs (1)

CVE-2021-29998

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/542244f6-d273-4ba6-a64d-83d6b4120aa3