Telnet Authentication Vulnerability in SINAMICS Medium Voltage Products

Plan Patch8.1SSA-752103May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SINAMICS medium voltage products with telnet enabled on SIMATIC comfort HMI Panels are affected by an authentication bypass vulnerability that could allow remote attackers to gain full access to the HMI and connected drive. By default, telnet is disabled, but system integrators can enable it on request. Siemens has not released patches for any of the affected product versions.

What this means

What could happen

An attacker with network access to a SINAMICS medium voltage drive's HMI panel (if telnet is enabled) could gain full remote control of the device, potentially allowing them to modify motor operating parameters, stop critical processes, or cause equipment damage.

Who's at risk

Manufacturing facilities operating SINAMICS medium voltage motor drives (GH150, GL150, GM150, SH150, SL150, SM120, SM150, SM150i) with SIMATIC comfort HMI panels, particularly those used in pump systems, compressors, fans, or other critical machinery in water treatment, power generation, or industrial processes.

How it could be exploited

An attacker on the network sends a telnet connection request to the HMI panel on the default telnet port. The vulnerability in the telnet authentication mechanism allows the attacker to bypass authentication checks and gain shell-level access to the HMI panel, from which they can issue commands to the connected SINAMICS drive controller.

Prerequisites

Network access to the HMI panel telnet port (port 23 by default)
Telnet must be explicitly enabled on the HMI panel (disabled by default)
HMI panel must be running a vulnerable version of the SINAMICS product firmware

Remotely exploitableNo authentication required if telnet enabledLow complexity attackNo patch availableAffects critical process control

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

SINAMICS GH150All versionsNo fix (EOL)

SINAMICS GL150 (with option X30)All versionsNo fix (EOL)

SINAMICS GM150 (with option X30)All versionsNo fix (EOL)

SINAMICS SH150All versionsNo fix (EOL)

SINAMICS SL150All versionsNo fix (EOL)

SINAMICS SM120All versionsNo fix (EOL)

SINAMICS SM150All versionsNo fix (EOL)

SINAMICS SM150iAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable telnet on all SINAMICS HMI panels unless operationally required; use secure alternatives like SSH if remote management is needed

HARDENINGRestrict network access to HMI panel telnet port using firewall rules; allow only trusted engineering workstations or management stations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SINAMICS GH150, SINAMICS GL150 (with option X30), SINAMICS GM150 (with option X30), SINAMICS SH150, SINAMICS SL150, SINAMICS SM120, SINAMICS SM150, SINAMICS SM150i. Apply the following compensating controls:

HARDENINGSegment the SINAMICS control network from the general corporate IT network using industrial firewalls or VLANs

HARDENINGMonitor network traffic for unexpected telnet connections to HMI panels and implement alerting

CVEs (1)

CVE-2020-15798

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/21b756a1-74d1-4fa0-ade6-429572aad702