CVE-2021-22698 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-22698?

CVE-2021-22698 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on affected systems by uploading a malicious SSD file. It affects EcoStruxure Power Build - Rapsody software users running version 2.1.13 or earlier. Attackers can exploit this without authentication to gain full control of the system.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected systems by uploading a malicious SSD file. It affects EcoStruxure Power Build - Rapsody software users running version 2.1.13 or earlier. Attackers can exploit this without authentication to gain full control of the system.

💻 Affected Systems

Products:

EcoStruxure Power Build - Rapsody

Versions: 2.1.13 and prior

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default. The vulnerability exists in the SSD file parsing functionality.

📦 What is this software?

Ecostruxure Power Build Rapsody by Schneider Electric

View all CVEs affecting Ecostruxure Power Build Rapsody →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to disrupt operations, steal sensitive engineering data, or deploy ransomware.

🟢

If Mitigated

File upload attempts blocked at network perimeter, preventing exploitation even if software remains vulnerable.

🌐 Internet-Facing: HIGH - Exploitation requires only file upload capability, which is often exposed in industrial control systems.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability with minimal barriers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-21-187 advisory includes technical details. The vulnerability requires only file upload capability, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.1.14 or later

Vendor Advisory: https://www.se.com/ww/en/download/document/SEVD-2021-012-02/

Restart Required: Yes

Instructions:

1. Download the updated version from Schneider Electric's official portal. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict SSD File Uploads

all

Block upload of SSD files at network perimeter or application level

Network Segmentation

all

Isolate Rapsody systems from untrusted networks and internet

🧯 If You Can't Patch

Implement strict network access controls to limit who can upload files to the system
Deploy application whitelisting to prevent execution of unauthorized code

🔍 How to Verify

Check if Vulnerable:

Check software version in Help > About menu. If version is 2.1.13 or earlier, system is vulnerable.

Check Version:

Not applicable - check through application GUI

Verify Fix Applied:

Verify version is 2.1.14 or later in Help > About menu. Test SSD file upload functionality with safe test files.

📡 Detection & Monitoring

Log Indicators:

Failed or successful SSD file uploads from unusual sources
Process creation events from Rapsody with unusual parameters

Network Indicators:

HTTP POST requests with .ssd file extensions to Rapsody endpoints
Outbound connections from Rapsody to unknown IPs

SIEM Query:

source="Rapsody" AND (event="file_upload" OR event="process_create")

📊 Metadata

CVE ID: CVE-2021-22698

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01 Third Party Advisory,US Government Resource
https://www.se.com/ww/en/download/document/SEVD-2021-012-02/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-187/ Third Party Advisory,VDB Entry
https://us-cert.cisa.gov/ics/advisories/icsa-21-012-01 Third Party Advisory,US Government Resource
https://www.se.com/ww/en/download/document/SEVD-2021-012-02/ Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-187/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22698, you might also want to check these: