CVE-2021-21868 – This CVE describes an unsafe deserialization vu... (How to Fix)

Q: What is the severity of CVE-2021-21868?

CVE-2021-21868 has a CVSS score of 7.8 (HIGH). This CVE describes an unsafe deserialization vulnerability in CODESYS Development System that allows arbitrary command execution when processing malicious project files. Attackers can achieve remote code execution by tricking users into opening specially crafted files. This affects users of CODESYS Development System versions 3.5.16 and 3.5.17.

📋 TL;DR

This CVE describes an unsafe deserialization vulnerability in CODESYS Development System that allows arbitrary command execution when processing malicious project files. Attackers can achieve remote code execution by tricking users into opening specially crafted files. This affects users of CODESYS Development System versions 3.5.16 and 3.5.17.

💻 Affected Systems

Products:

CODESYS Development System

Versions: 3.5.16 and 3.5.17

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality when deserializing project files.

📦 What is this software?

Codesys by Codesys

View all CVEs affecting Codesys →

Codesys by Codesys

View all CVEs affecting Codesys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the host system running CODESYS Development System, potentially leading to lateral movement within the network.

🟠

Likely Case

Local privilege escalation or remote code execution when users open malicious project files, potentially compromising the development environment and connected systems.

🟢

If Mitigated

Limited impact with proper file validation and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM - While the vulnerability requires user interaction (opening a file), internet-facing systems could be targeted through social engineering or compromised downloads.

🏢 Internal Only: HIGH - Internal development environments are prime targets as attackers can craft malicious project files that appear legitimate to developers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious project file. Technical details and proof-of-concept are publicly available in the Talos Intelligence report.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.18.0 or later

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16805&token=ee583c498941d9fda86490bca98ff21928eec08a&download=

Restart Required: Yes

Instructions:

1. Download CODESYS Development System version 3.5.18.0 or later from the official CODESYS website. 2. Run the installer and follow the upgrade process. 3. Restart the CODESYS Development System application. 4. Verify the version is updated to 3.5.18.0 or higher.

🔧 Temporary Workarounds

Restrict Project File Sources

all

Only open project files from trusted sources and implement file validation procedures.

User Awareness Training

all

Train developers and users to recognize suspicious project files and avoid opening untrusted files.

🧯 If You Can't Patch

Implement strict access controls to limit who can open project files in CODESYS Development System.
Use application whitelisting to prevent execution of unauthorized commands or processes from CODESYS.

🔍 How to Verify

Check if Vulnerable:

Check the CODESYS Development System version in Help → About. If version is 3.5.16 or 3.5.17, the system is vulnerable.

Check Version:

In CODESYS Development System: Help → About → Check version number

Verify Fix Applied:

Verify the version is 3.5.18.0 or higher in Help → About menu.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from CODESYS.exe
Failed deserialization attempts in application logs
Unexpected command execution events

Network Indicators:

Outbound connections from CODESYS to unexpected destinations
File downloads to CODESYS process

SIEM Query:

Process Creation where Parent Process Name contains 'CODESYS' AND (Command Line contains 'cmd.exe' OR Command Line contains 'powershell.exe' OR Command Line contains suspicious commands)

📊 Metadata

CVE ID: CVE-2021-21868

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: August 18, 2021

Last Updated: November 21, 2024

🔗 References

https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16805&token=ee583c498941d9fda86490bca98ff21928eec08a&download= Mitigation,Patch,Vendor Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1305 Exploit,Third Party Advisory
https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16805&token=ee583c498941d9fda86490bca98ff21928eec08a&download= Mitigation,Patch,Vendor Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1305 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21868, you might also want to check these: