DHCP Client Vulnerability in SINAMICS PERFECT HARMONY GH180 Drives

Act Now9.8SSA-910883Jul 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A heap-based buffer overflow exists in the DHCP client of the integrated SCALANCE X206-1 network module within SINAMICS PERFECT HARMONY GH180 Drives manufactured between 2015 and prior to 2022. A malicious DHCP response could overflow memory and allow an attacker to access the drive's internal network. Drives manufactured from 2022 onward are not affected. Siemens has not released a firmware patch for older drives; remediation requires individual customer support assessment.

What this means

What could happen

An attacker on the network could overflow the DHCP client memory on affected drives and gain unauthorized access to the device's internal network, potentially allowing them to modify drive parameters, alter speed or torque setpoints, or shut down motor operations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using SINAMICS PERFECT HARMONY GH180 variable frequency drives (VFDs) manufactured between 2015 and 2021. These drives are commonly used to control large motors in pumping, air handling, and other essential industrial processes.

How it could be exploited

An attacker sends a malicious DHCP response to the affected drive's DHCP client. The oversized response causes a heap buffer overflow in the integrated SCALANCE X206-1 network module, allowing the attacker to execute code and pivot into the drive's internal control network.

Prerequisites

Network access to DHCP traffic on the drive's network segment (attacker must be able to intercept or spoof DHCP responses)
Target must be one of the affected SINAMICS PERFECT HARMONY GH180 drive models manufactured between 2015 and 2021

remotely exploitableno authentication requiredlow complexityno patch availableaffects motor control systems

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

SINAMICS PERFECT HARMONY GH180 DrivesDrives manufactured since 2015 and prior to 2022No fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDContact Siemens customer support for detailed remediation guidance; older drives manufactured prior to 2022 require case-by-case assessment

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate the drive's DHCP traffic from untrusted network segments; restrict DHCP servers to authorized infrastructure

HARDENINGWhere feasible, configure the drive to use static IP addressing instead of DHCP to eliminate DHCP client exposure

CVEs (1)

CVE-2021-29998

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb461859-7ef3-4694-98a6-d8e4f0387809