Login Sign Up

CVE-2021-29240

7.8 HIGH

📋 TL;DR

This vulnerability in CODESYS Development System 3 allows attackers to install malicious packages without validation checks. It affects users of CODESYS Development System 3 before version 3.5.17.0 who install packages from untrusted sources.

💻 Affected Systems

Products:
  • CODESYS Development System 3
Versions: All versions before 3.5.17.0
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the Package Manager component of the development system.

📦 What is this software?

Development System by Codesys

View all CVEs affecting Development System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through installation of malicious packages containing backdoors, ransomware, or other malware that could disrupt industrial control systems.

🟠

Likely Case

Unauthorized code execution, data theft, or system manipulation through malicious package installation.

🟢

If Mitigated

Limited impact if package sources are restricted and proper security controls are implemented.

🌐 Internet-Facing: MEDIUM - Requires user interaction to install malicious packages, but could be exploited through social engineering or compromised repositories.
🏢 Internal Only: HIGH - Internal users with package installation privileges could exploit this vulnerability intentionally or unintentionally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to install a malicious package, but the technical complexity is low once a malicious package is created.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.17.0

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=14636&token=1ce7e6e4cbe4651989ede418450d7c82e972bdf2&download=

Restart Required: Yes

Instructions:

1. Download CODESYS Development System 3 version 3.5.17.0 or later from the official CODESYS website. 2. Run the installer and follow the upgrade process. 3. Restart the development system after installation completes.

🔧 Temporary Workarounds

Restrict Package Sources

all

Only install packages from trusted, verified sources and disable installation from unknown repositories.

User Privilege Restriction

all

Limit package installation privileges to authorized administrators only.

🧯 If You Can't Patch

  • Implement strict package source whitelisting and only allow installation from verified repositories.
  • Deploy network segmentation to isolate CODESYS development systems from production networks.

🔍 How to Verify

Check if Vulnerable:

Check CODESYS Development System version in Help → About. If version is below 3.5.17.0, the system is vulnerable.

Check Version:

In CODESYS Development System, navigate to Help → About to view version information.

Verify Fix Applied:

After updating, verify version is 3.5.17.0 or higher in Help → About menu.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected package installation events
  • Installation of packages from untrusted sources
  • Failed package validation attempts

Network Indicators:

  • Downloads from unknown package repositories
  • Unusual outbound connections after package installation

SIEM Query:

Event logs showing package installation from non-standard sources OR version checks showing CODESYS Development System < 3.5.17.0

📊 Metadata

CVE ID: CVE-2021-29240
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: May 4, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON