CVE-2021-37401 – CVE-2021-37401 allows attackers to extract user... (How to Fix)

Q: What is the severity of CVE-2021-37401?

CVE-2021-37401 has a CVSS score of 9.8 (CRITICAL). CVE-2021-37401 allows attackers to extract user credentials from IDEC MicroSmart FC6A PLCs by accessing stored files on SD cards or backup repositories. This enables unauthorized upload, modification, or download of PLC user programs. Organizations using IDEC FC6A MicroSmart PLCs with SD cards or file backups are affected.

📋 TL;DR

CVE-2021-37401 allows attackers to extract user credentials from IDEC MicroSmart FC6A PLCs by accessing stored files on SD cards or backup repositories. This enables unauthorized upload, modification, or download of PLC user programs. Organizations using IDEC FC6A MicroSmart PLCs with SD cards or file backups are affected.

💻 Affected Systems

Products:

IDEC MicroSmart FC6A Programmable Logic Controllers

Versions: All versions prior to firmware updates addressing the vulnerability

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires physical or logical access to SD cards or backup files containing ZLD files

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to physical process manipulation, production shutdown, or safety system disruption.

🟠

Likely Case

Unauthorized access to PLC programs allowing logic modification, operational disruption, or intellectual property theft.

🟢

If Mitigated

Limited impact through network segmentation and proper credential management.

🌐 Internet-Facing: LOW (PLC systems typically not directly internet-facing)

🏢 Internal Only: HIGH (Internal attackers or compromised internal systems can exploit this)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to stored credential files but doesn't require authentication to the PLC itself

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates and software updates for Automation Organizer

Vendor Advisory: https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf

Restart Required: Yes

Instructions:

1. Download updated firmware from IDEC website. 2. Update PLC firmware using Automation Organizer software. 3. Update Automation Organizer to latest version. 4. Restart affected PLCs.

🔧 Temporary Workarounds

Remove SD cards

all

Physically remove SD cards from PLCs to prevent credential extraction

Secure backup storage

all

Encrypt and secure backup repositories containing ZLD files

🧯 If You Can't Patch

Implement strict physical access controls to PLCs and SD cards
Segment PLC networks and restrict access to backup file repositories

🔍 How to Verify

Check if Vulnerable:

Check if IDEC FC6A PLCs are using SD cards or if backup files containing ZLD files are accessible

Check Version:

Check firmware version through Automation Organizer software interface

Verify Fix Applied:

Verify firmware version is updated and Automation Organizer software is at latest version

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to PLC programming software
Unexpected PLC program modifications

Network Indicators:

Unauthorized connections to PLC programming ports
Unexpected file transfers involving PLC backup files

SIEM Query:

source="plc_logs" AND (event="program_modification" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2021-37401

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: December 28, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/vu/JVNVU92279973/ Third Party Advisory
https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A Vendor Advisory
https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer Vendor Advisory
https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf Vendor Advisory
https://jvn.jp/en/vu/JVNVU92279973/ Third Party Advisory
https://us.idec.com/idec-us/en/USD/Programmable-Logic-Controller/Micro-PLC/FC6A-MicroSmart/c/MicroSmart_FC6A Vendor Advisory
https://us.idec.com/idec-us/en/USD/Software-Downloads-Automation-Organizer Vendor Advisory
https://www.idec.com/home/lp/pdf/2021-12-24-PLC.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37401, you might also want to check these: