CVE-2021-34586
📋 TL;DR
CVE-2021-34586 is a null pointer dereference vulnerability in the CODESYS V2 web server that allows crafted web requests to cause denial-of-service conditions. This affects industrial control systems using CODESYS V2 web server versions prior to 1.1.9.22. Attackers can crash the web server component, disrupting web-based monitoring and configuration interfaces.
💻 Affected Systems
- CODESYS V2 web server
📦 What is this software?
Codesys by Codesys
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service of the CODESYS web server, disrupting industrial control system monitoring, configuration, and potentially affecting PLC operations if web interfaces are critical for control functions.
Likely Case
Temporary web server crash requiring manual restart, disrupting operator visibility and configuration capabilities but not affecting core PLC runtime operations.
If Mitigated
Minimal impact if web server is isolated from production networks and proper network segmentation is implemented.
🎯 Exploit Status
Tenable published research with exploitation details. Crafted HTTP requests can trigger the null pointer dereference without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V1.1.9.22
Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16876&token=a3f1d937f95e7034879f4f2ea8e5a99b168256a7&download=
Restart Required: Yes
Instructions:
1. Download CODESYS V2 web server version 1.1.9.22 or later from CODESYS customer portal. 2. Stop the CODESYS web server service. 3. Install the updated version. 4. Restart the web server service. 5. Verify the version is 1.1.9.22 or higher.
🔧 Temporary Workarounds
Network Isolation
allRestrict access to CODESYS web server to trusted networks only using firewall rules.
# Example Linux iptables rule: iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
# Example Windows Firewall: New-NetFirewallRule -DisplayName "CODESYS Web" -Direction Inbound -Protocol TCP -LocalPort 80 -RemoteAddress trusted_network -Action Allow
Disable Web Server
allTemporarily disable the CODESYS web server if not required for operations.
# Windows: sc stop "CODESYS Web Server"
# Linux: systemctl stop codesys-web-server
🧯 If You Can't Patch
- Implement strict network segmentation to isolate CODESYS web servers from untrusted networks
- Deploy web application firewall (WAF) with rules to detect and block malicious HTTP requests targeting CODESYS
🔍 How to Verify
Check if Vulnerable:
Check CODESYS web server version via web interface at http://<server>:80/ or via installed software list. Versions below 1.1.9.22 are vulnerable.Check Version:
# Windows: wmic product where "name like '%CODESYS%'" get version
# Linux: dpkg -l | grep codesys or rpm -qa | grep codesysVerify Fix Applied:
Verify version is 1.1.9.22 or higher via web interface or system software inventory. Test web server functionality remains operational after applying updates.📡 Detection & Monitoring
Log Indicators:
- Web server crash logs
- Unexpected service restarts of CODESYS web server
- HTTP requests with unusual patterns or malformed headers
Network Indicators:
- Multiple HTTP requests to CODESYS web server from single source causing service interruption
- Traffic patterns showing repeated connection attempts to port 80/443
SIEM Query:
source="codesys.log" AND ("crash" OR "segmentation fault" OR "null pointer") OR destination_port=80 AND protocol="http" AND bytes_sent<100 AND response_code=0🔗 References
- https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16876&token=a3f1d937f95e7034879f4f2ea8e5a99b168256a7&download=
- https://www.tenable.com/security/research/tra-2021-47
- https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16876&token=a3f1d937f95e7034879f4f2ea8e5a99b168256a7&download=
- https://www.tenable.com/security/research/tra-2021-47
