CVE-2021-25667

Q: What is the severity of CVE-2021-25667?

CVE-2021-25667 has a CVSS score of 8.8 (HIGH). A stack-based buffer overflow vulnerability in Siemens industrial network devices allows remote attackers to cause denial-of-service or potentially execute arbitrary code by sending specially crafted STP BPDU frames. Affected devices include multiple RUGGEDCOM and SCALANCE product families running vulnerable firmware versions. Successful exploitation requires the passive listening feature to be enabled on the device.

8.8 HIGH

📋 TL;DR

A stack-based buffer overflow vulnerability in Siemens industrial network devices allows remote attackers to cause denial-of-service or potentially execute arbitrary code by sending specially crafted STP BPDU frames. Affected devices include multiple RUGGEDCOM and SCALANCE product families running vulnerable firmware versions. Successful exploitation requires the passive listening feature to be enabled on the device.

💻 Affected Systems

Products:

RUGGEDCOM RM1224
SCALANCE M-800
SCALANCE S615
SCALANCE SC-600 Family
SCALANCE XB-200
SCALANCE XC-200
SCALANCE XF-200BA
SCALANCE XM400
SCALANCE XP-200
SCALANCE XR-300WG
SCALANCE XR500

Versions: V4.3 to V6.4 for most products, V2.0 to V2.1.3 for SC-600, various versions below V4.1/V6.2 for others

Operating Systems: Embedded firmware

Default Config Vulnerable: ✅ No

Notes: Vulnerability only exploitable when passive listening feature is enabled. This is not the default configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full device compromise, allowing attacker to modify configurations, disrupt industrial operations, or pivot to other network segments.

🟠

Likely Case

Denial-of-service condition causing network disruption and potential operational downtime in industrial environments.

🟢

If Mitigated

Limited impact if passive listening feature is disabled or devices are properly segmented from untrusted networks.

🌐 Internet-Facing: HIGH if devices are directly exposed to the internet with passive listening enabled.

🏢 Internal Only: MEDIUM to HIGH depending on network segmentation and whether passive listening is enabled.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to the device and passive listening to be enabled. STP BPDU manipulation requires specific network knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V6.4 for most products, V2.1.3 for SC-600, V4.1 for XB/XC/XF/XP/XR-300WG, V6.2 for XM400/XR500

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf

Restart Required: Yes

Instructions:

1. Download appropriate firmware update from Siemens Industrial Security Advisory. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify successful update and restore configuration if needed.

🔧 Temporary Workarounds

Disable Passive Listening

all

Disable the passive listening feature that is required for exploitation

Configure via web interface or CLI: set passive-listening disabled

Network Segmentation

all

Segment affected devices from untrusted networks using firewalls or VLANs

Configure firewall rules to block STP BPDU traffic (protocol 0x42) from untrusted sources

🧯 If You Can't Patch

Disable passive listening feature on all affected devices
Implement strict network segmentation to isolate affected devices from potential attackers
Monitor for STP BPDU anomalies and unauthorized traffic

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI command 'show version' and compare against affected versions list

Check Version:

show version

Verify Fix Applied:

Verify firmware version is updated to patched version and passive listening is disabled

📡 Detection & Monitoring

Log Indicators:

Device crash/reboot logs
STP protocol anomalies in system logs
Unexpected configuration changes

Network Indicators:

Malformed STP BPDU frames
Unusual STP traffic patterns
Traffic from unexpected sources to port 0x42

SIEM Query:

source="network_device" AND (protocol="STP" OR port=0x42) AND (payload_size>normal OR malformed_packet=true)

📊 Metadata

CVE ID: CVE-2021-25667

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 15, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf Patch,Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-068-03 Patch,Third Party Advisory,US Government Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-979775.pdf Patch,Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-068-03 Patch,Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ruggedcom Rm1224 Firmware by Siemens

Scalance M 800 Firmware by Siemens

Scalance S615 Firmware by Siemens

Scalance Sc622 2c Firmware by Siemens

Scalance Sc622 2c Firmware by Siemens

Scalance Sc632 2c Firmware by Siemens

Scalance Sc632 2c Firmware by Siemens

Scalance Sc636 2c Firmware by Siemens

Scalance Sc636 2c Firmware by Siemens

Scalance Sc642 2c Firmware by Siemens

Scalance Sc642 2c Firmware by Siemens

Scalance Sc646 2c Firmware by Siemens

Scalance Sc646 2c Firmware by Siemens

Scalance X300wg Firmware by Siemens

Scalance Xb 200 Firmware by Siemens

Scalance Xc 200 Firmware by Siemens

Scalance Xf 200ba Firmware by Siemens

Scalance Xm400 Firmware by Siemens

Scalance Xp 200 Firmware by Siemens

Scalance Xr500 Firmware by Siemens