CVE-2021-27384

Name of the Vulnerable Software and Affected Versions SIMATIC HMI Comfort Outdoor Panels versions prior to V15.1 Update 6 SIMATIC HMI Comfort Outdoor Panels versions prior to V16 Update 4 SIMATIC HMI Comfort Panels versions prior to V15.1 Update 6 SIMATIC HMI Comfort Panels versions prior to V16 Update 4 SIMATIC HMI KTP Mobile Panels versions prior to V15.1 Update 6 SIMATIC HMI KTP Mobile Panels versions prior to V16 Update 4 SIMATIC WinCC Runtime Advanced versions prior to V15.1 Update 6 SIMATIC WinCC Runtime Advanced versions prior to V16 Update 4 SINAMICS GH150 (all versions) SINAMICS GL150 (with option X30) (all versions) SINAMICS GM150 (with option X30) (all versions) SINAMICS SH150 (all versions) SINAMICS SL150 (all versions) SINAMICS SM120 (all versions) SINAMICS SM150 (all versions) SINAMICS SM150i (all versions)

Description The issue is caused by an out-of-bounds memory access vulnerability in the device layout handler, which can potentially result in code execution. This vulnerability affects various Siemens products, including SIMATIC and SINAMICS. The vulnerability can be exploited by a remote attacker, allowing them to execute arbitrary code.

Recommendations For SIMATIC HMI Comfort Outdoor Panels versions prior to V15.1 Update 6, update to V15.1 Update 6 or later. For SIMATIC HMI Comfort Outdoor Panels versions prior to V16 Update 4, update to V16 Update 4 or later. For SIMATIC HMI Comfort Panels versions prior to V15.1 Update 6, update to V15.1 Update 6 or later. For SIMATIC HMI Comfort Panels versions prior to V16 Update 4, update to V16 Update 4 or later. For SIMATIC HMI KTP Mobile Panels versions prior to V15.1 Update 6, update to V15.1 Update 6 or later. For SIMATIC HMI KTP Mobile Panels versions prior to V16 Update 4, update to V16 Update 4 or later. For SIMATIC WinCC Runtime Advanced versions prior to V15.1 Update 6, update to V15.1 Update 6 or later. For SIMATIC WinCC Runtime Advanced versions prior to V16 Update 4, update to V16 Update 4 or later. For SINAMICS products, contact the vendor for specific guidance on mitigation or resolution, as all versions are affected.