CVE-2021-27477

Q: What is the severity of CVE-2021-27477?

CVE-2021-27477 has a CVSS score of 7.5 (HIGH). This vulnerability in JTEKT Corporation TOYOPUC PLCs allows an attacker to cause a denial of service by sending specially crafted invalid frames to the FL-net interface. When exploited, it overwrites memory outside the receive buffer, triggering a system error that stops the PLC. This affects industrial control systems using these specific PLC models.

7.5 HIGH

Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability in JTEKT Corporation TOYOPUC PLCs allows an attacker to cause a denial of service by sending specially crafted invalid frames to the FL-net interface. When exploited, it overwrites memory outside the receive buffer, triggering a system error that stops the PLC. This affects industrial control systems using these specific PLC models.

💻 Affected Systems

Products:

PC10G-CPU
2PORT-EFR
Plus CPU
Plus EX
Plus EX2
Plus EFR
Plus EFR2
Plus 2P-EFR
PC10P-DP
PC10P-DP-IO
Plus BUS-EX
Nano 10GX
Nano 2ET
PC10PE
PC10PE-16/16P
PC10E
FL/ET-T-V2H
PC10B
PC10B-P
Nano CPU
PC10P
PC10GE

Versions: All versions prior to patched firmware

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects FL-net communication interface on these PLC models. Requires network access to the PLC's FL-net interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete PLC shutdown causing production stoppage, safety system failures, or process disruption in critical infrastructure.

🟠

Likely Case

PLC CPU detects system error and stops operation, halting the controlled industrial process until manual restart.

🟢

If Mitigated

If network segmentation and access controls are properly implemented, the vulnerability may be unreachable by attackers.

🌐 Internet-Facing: MEDIUM - While industrial systems shouldn't be internet-facing, misconfigurations could expose them.

🏢 Internal Only: HIGH - Attackers with internal network access or compromised internal systems can exploit this to disrupt operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted invalid frames to the FL-net interface. No authentication required if network access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact JTEKT for specific firmware updates

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04

Restart Required: Yes

Instructions:

1. Contact JTEKT Corporation for firmware updates
2. Schedule maintenance window for PLC update
3. Backup PLC program and configuration
4. Apply firmware update following vendor instructions
5. Restart PLC and verify operation

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLC network from other networks using firewalls or VLANs

Access Control Lists

all

Implement strict network access controls to limit communication to PLC FL-net interface

🧯 If You Can't Patch

Implement network segmentation to isolate PLCs from untrusted networks
Deploy intrusion detection systems to monitor for malicious FL-net traffic

🔍 How to Verify

Check if Vulnerable:

Check PLC model and firmware version against affected products list. Monitor for system error logs indicating buffer overflow.

Check Version:

Use PLC programming software or HMI to check firmware version (vendor-specific command)

Verify Fix Applied:

Verify firmware version has been updated to patched version. Test by monitoring PLC operation during normal FL-net communication.

📡 Detection & Monitoring

Log Indicators:

PLC system error logs
Unexpected PLC restarts
FL-net communication errors

Network Indicators:

Malformed FL-net packets
Unexpected traffic to PLC FL-net port

SIEM Query:

source="plc_logs" AND ("system error" OR "buffer overflow" OR "FL-net error")

📊 Metadata

CVE ID: CVE-2021-27477

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-119

Published: July 1, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04 Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-180-04 Third Party Advisory,US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

2port Efr Firmware by Jtekt

Fl\/et T V2h Firmware by Jtekt

Nano 10gx Firmware by Jtekt

Nano 2et Firmware by Jtekt

Nano Cpu Firmware by Jtekt

Pc10b Firmware by Jtekt

Pc10b P Firmware by Jtekt

Pc10e Firmware by Jtekt

Pc10g Cpu Firmware by Jtekt

Pc10ge Firmware by Jtekt

Pc10p Dp Firmware by Jtekt

Pc10p Dp Io Firmware by Jtekt

Pc10p Firmware by Jtekt

Pc10pe 16\/16p Firmware by Jtekt

Pc10pe Firmware by Jtekt

Plus 2p Efr Firmware by Jtekt

Plus Bus Ex Firmware by Jtekt

Plus Cpu Firmware by Jtekt

Plus Efr Firmware by Jtekt

Plus Efr2 Firmware by Jtekt

Plus Ex Firmware by Jtekt

Plus Ex2 Firmware by Jtekt