CVE-2021-21778 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-21778?

CVE-2021-21778 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to cause denial of service by sending specially crafted ASDU messages to lib60870.NET implementations, disrupting communications in industrial control systems. It affects systems using MZ Automation's lib60870.NET library version 2.2.0 for IEC 60870-5 protocol implementations.

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial of service by sending specially crafted ASDU messages to lib60870.NET implementations, disrupting communications in industrial control systems. It affects systems using MZ Automation's lib60870.NET library version 2.2.0 for IEC 60870-5 protocol implementations.

💻 Affected Systems

Products:

MZ Automation GmbH lib60870.NET

Versions: 2.2.0

Operating Systems: Windows, Linux, Any OS running .NET

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system using the vulnerable library version, regardless of configuration.

📦 What is this software?

Lib60870 by Mz Automation

View all CVEs affecting Lib60870 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of communications in critical infrastructure systems, potentially disrupting power grid operations or industrial processes.

🟠

Likely Case

Temporary communication disruption requiring system restart or manual intervention to restore functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though service interruption may still occur.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication via network requests.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still trigger the vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is well-documented with proof-of-concept available, making exploitation straightforward for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.1 or later

Vendor Advisory: https://www.mz-automation.de/downloads/

Restart Required: Yes

Instructions:

1. Download lib60870.NET version 2.2.1 or later from MZ Automation website. 2. Replace the vulnerable library files. 3. Restart affected applications/services. 4. Test communications functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to lib60870.NET services using firewalls or network ACLs.

Rate Limiting

all

Implement rate limiting on ASDU message processing to reduce DoS impact.

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems from untrusted networks.
Deploy intrusion detection systems to monitor for ASDU message anomalies and block malicious traffic.

🔍 How to Verify

Check if Vulnerable:

Check application dependencies for lib60870.NET version 2.2.0. Review system logs for ASDU processing errors or communication disruptions.

Check Version:

Check application configuration files or use .NET assembly inspection tools to verify lib60870.NET version.

Verify Fix Applied:

Verify lib60870.NET version is 2.2.1 or later. Test ASDU message processing functionality under normal and stress conditions.

📡 Detection & Monitoring

Log Indicators:

ASDU message processing errors
Unexpected communication disruptions
High volume of malformed network packets

Network Indicators:

Unusual ASDU message patterns
Traffic spikes to IEC 60870-5 ports (typically 2404/TCP)
Malformed protocol packets

SIEM Query:

source="network_traffic" dest_port=2404 AND packet_size>normal AND protocol="iec60870"

📊 Metadata

CVE ID: CVE-2021-21778

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

Published: August 25, 2021

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2021-1236 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1236 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21778, you might also want to check these: