CVE-2021-34599 – CVE-2021-34599 is a certificate validation vuln... (How to Fix)

Q: What is the severity of CVE-2021-34599?

CVE-2021-34599 has a CVSS score of 7.4 (HIGH). CVE-2021-34599 is a certificate validation vulnerability in CODESYS Git versions prior to V1.1.0.0 that allows man-in-the-middle attacks by not verifying HTTPS server certificates. This affects users of CODESYS Git who connect to remote Git repositories over HTTPS.

📋 TL;DR

CVE-2021-34599 is a certificate validation vulnerability in CODESYS Git versions prior to V1.1.0.0 that allows man-in-the-middle attacks by not verifying HTTPS server certificates. This affects users of CODESYS Git who connect to remote Git repositories over HTTPS.

💻 Affected Systems

Products:

CODESYS Git

Versions: All versions prior to V1.1.0.0

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable by default as certificate validation is disabled in affected versions.

📦 What is this software?

Git by Codesys

View all CVEs affecting Git →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept, modify, or inject malicious code into Git operations, potentially compromising industrial control systems or stealing intellectual property.

🟠

Likely Case

Unauthorized access to source code repositories, injection of malicious code into automation projects, or data exfiltration during Git operations.

🟢

If Mitigated

Limited impact with proper network segmentation and certificate validation enabled.

🌐 Internet-Facing: HIGH - Any HTTPS connection to external Git servers is vulnerable to interception.

🏢 Internal Only: MEDIUM - Internal network attacks still possible if attacker has network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Man-in-the-middle attacks are well-understood and tools for HTTPS interception are widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V1.1.0.0

Vendor Advisory: https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16959&token=3ce11e44a3277c4520d732ea2e630f2e06bd46ff&download

Restart Required: Yes

Instructions:

1. Download CODESYS Git V1.1.0.0 or later from CODESYS website. 2. Install the update following vendor instructions. 3. Restart affected systems.

🔧 Temporary Workarounds

Use SSH instead of HTTPS

all

Configure Git to use SSH protocol instead of HTTPS for repository connections

git remote set-url origin git@github.com:user/repo.git

Enable certificate validation

all

Configure CODESYS Git to enforce certificate validation if supported in current version

🧯 If You Can't Patch

Isolate CODESYS Git systems from untrusted networks using firewalls
Use VPNs for all remote Git connections to ensure encrypted tunnels

🔍 How to Verify

Check if Vulnerable:

Check CODESYS Git version in application settings or about dialog

Check Version:

Check via CODESYS Git interface or installation details

Verify Fix Applied:

Verify version is V1.1.0.0 or later and test HTTPS connections to known valid servers

📡 Detection & Monitoring

Log Indicators:

Failed HTTPS connections to Git servers
Unexpected certificate warnings

Network Indicators:

Unencrypted Git traffic
HTTPS connections to unusual IP addresses

SIEM Query:

HTTPS traffic from CODESYS Git systems with certificate validation errors

📊 Metadata

CVE ID: CVE-2021-34599

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-295

Published: December 1, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34599, you might also want to check these: