CVE-2021-25662

Summary

A vulnerability has been identified in SIMATIC HMI Comfort Outdoor Panels V15 7&#34; & 15&#34; (incl. SIPLUS variants) (All versions < V15.1 Update 6), SIMATIC HMI Comfort Outdoor Panels V16 7&#34; & 15&#34; (incl. SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI Comfort Panels V15 4&#34; - 22&#34; (incl. SIPLUS variants) (All versions < V15.1 Update 6), SIMATIC HMI Comfort Panels V16 4&#34; - 22&#34; (incl. SIPLUS variants) (All versions < V16 Update 4), SIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Update 6), SIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V16 Update 4), SIMATIC WinCC Runtime Advanced V15 (All versions < V15.1 Update 6), SIMATIC WinCC Runtime Advanced V16 (All versions < V16 Update 4). SmartVNC client fails to handle an exception properly if the program execution process is modified after sending a packet from the server, which could result in a Denial-of-Service condition.

Affected Software

VendorProductVersion RangeStatus
SiemensSIMATIC HMI Comfort Outdoor Panels V15 7" & 15" (incl. SIPLUS variants)All versions < V15.1 Update 6affected
SiemensSIMATIC HMI Comfort Outdoor Panels V16 7" & 15" (incl. SIPLUS variants)All versions < V16 Update 4affected
SiemensSIMATIC HMI Comfort Panels V15 4" - 22" (incl. SIPLUS variants)All versions < V15.1 Update 6affected
SiemensSIMATIC HMI Comfort Panels V16 4" - 22" (incl. SIPLUS variants)All versions < V16 Update 4affected
SiemensSIMATIC HMI KTP Mobile Panels V15 KTP400F, KTP700, KTP700F, KTP900 and KTP900FAll versions < V15.1 Update 6affected
SiemensSIMATIC HMI KTP Mobile Panels V16 KTP400F, KTP700, KTP700F, KTP900 and KTP900FAll versions < V16 Update 4affected
SiemensSIMATIC WinCC Runtime Advanced V15All versions < V15.1 Update 6affected
SiemensSIMATIC WinCC Runtime Advanced V16All versions < V16 Update 4affected

Weaknesses

  • CWE-755: CWE-755: Improper Handling of Exceptional Conditions

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References