CVE-2021-20826 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2021-20826?

CVE-2021-20826 has a CVSS score of 7.6 (HIGH). This vulnerability allows attackers to intercept credentials transmitted between IDEC PLCs and their management software due to lack of encryption. Affected organizations using vulnerable IDEC PLC hardware and software can have their industrial control systems compromised, potentially leading to operational disruption.

📋 TL;DR

This vulnerability allows attackers to intercept credentials transmitted between IDEC PLCs and their management software due to lack of encryption. Affected organizations using vulnerable IDEC PLC hardware and software can have their industrial control systems compromised, potentially leading to operational disruption.

💻 Affected Systems

Products:

FC6A Series MICROSmart All-in-One CPU module
FC6A Series MICROSmart Plus CPU module
WindLDR
WindEDIT Lite
Data File Manager

Versions: FC6A All-in-One v2.32 and earlier, FC6A Plus v1.91 and earlier, WindLDR v8.19.1 and earlier, WindEDIT Lite v1.3.1 and earlier, Data File Manager v2.12.1 and earlier

Operating Systems: Windows (for management software)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in communication protocol between PLC hardware and management software.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of PLC operations allowing manipulation of physical outputs, suspension of industrial processes, and potential safety hazards in critical infrastructure.

🟠

Likely Case

Unauthorized access to PLC web interface leading to configuration changes, operational data theft, and potential process disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though credential exposure still presents risk.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote attackers to intercept credentials without network access.

🏢 Internal Only: MEDIUM - Requires network access but credentials transmitted in cleartext are vulnerable to internal attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept traffic but uses standard network sniffing techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FC6A All-in-One v2.33+, FC6A Plus v1.92+, WindLDR v8.19.2+, WindEDIT Lite v1.3.2+, Data File Manager v2.12.2+

Vendor Advisory: https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

Restart Required: Yes

Instructions:

1. Download updated firmware/software from IDEC website. 2. Backup PLC configurations. 3. Update PLC firmware via WindLDR. 4. Update all management software. 5. Restart PLC and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLC network from other networks to limit attack surface

VPN Tunnel

all

Establish encrypted VPN between management stations and PLCs

🧯 If You Can't Patch

Implement strict network segmentation with firewall rules blocking unnecessary traffic to PLCs
Deploy network monitoring to detect credential interception attempts and unauthorized access

🔍 How to Verify

Check if Vulnerable:

Check version numbers in WindLDR software and PLC firmware against vulnerable versions listed in advisory

Check Version:

In WindLDR: Help → About; On PLC: Check firmware version via web interface or programming software

Verify Fix Applied:

Confirm all software/firmware versions are at or above patched versions, test communication while monitoring network traffic for encrypted credentials

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts on PLC web interface
Unusual configuration changes
Multiple login attempts from new IP addresses

Network Indicators:

Cleartext credential transmission on port 80/8080 to PLC IPs
Unusual traffic patterns to PLC management ports
ARP spoofing or MITM activity in PLC network

SIEM Query:

source_ip="PLC_IP" AND (event_type="authentication" OR event_type="configuration_change") AND result="success" AND user NOT IN ["authorized_users"]

📊 Metadata

CVE ID: CVE-2021-20826

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-522

Published: December 24, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU92279973/index.html Third Party Advisory
https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf Vendor Advisory
https://jvn.jp/en/vu/JVNVU92279973/index.html Third Party Advisory
https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20826, you might also want to check these: