CVE-2021-38410 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2021-38410?

CVE-2021-38410 has a CVSS score of 7.3 (HIGH). This vulnerability allows attackers to perform DLL hijacking in AVEVA PCS Portal by placing malicious DLLs in locations the software searches. It affects industrial control systems using vulnerable versions of AVEVA's software platform. Attackers could execute arbitrary code with the privileges of the PCS Portal process.

📋 TL;DR

This vulnerability allows attackers to perform DLL hijacking in AVEVA PCS Portal by placing malicious DLLs in locations the software searches. It affects industrial control systems using vulnerable versions of AVEVA's software platform. Attackers could execute arbitrary code with the privileges of the PCS Portal process.

💻 Affected Systems

Products:

AVEVA Software Platform Common Services (PCS) Portal

Versions: 4.5.2, 4.5.1, 4.5.0, 4.4.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects industrial control systems using AVEVA PCS Portal. Requires ability to place DLL files in search path locations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary code, potentially gaining control of industrial control systems, disrupting operations, or exfiltrating sensitive data.

🟠

Likely Case

Local privilege escalation or code execution within the PCS Portal context, potentially leading to lateral movement within the industrial network.

🟢

If Mitigated

Limited impact if proper access controls prevent unauthorized file placement and network segmentation isolates affected systems.

🌐 Internet-Facing: LOW - This requires local access or ability to place files on the target system, making remote exploitation difficult without other vulnerabilities.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this to escalate privileges or move laterally within industrial networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access or ability to place files on target system. DLL hijacking is a well-known technique but specific exploitation details for this vulnerability are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to version 4.5.3 or later

Vendor Advisory: https://www.aveva.com/en/support-and-success/cyber-security-updates/

Restart Required: Yes

Instructions:

1. Download the latest version from AVEVA support portal. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the PCS Portal service. 5. Verify functionality.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Use Windows policies to restrict where applications can load DLLs from

Set SafeDllSearchMode registry key to 1 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

File system permissions

windows

Restrict write permissions to directories in the DLL search path

icacls "C:\Program Files\AVEVA\PCS Portal" /deny Everyone:(OI)(CI)W

🧯 If You Can't Patch

Implement strict file system permissions to prevent unauthorized DLL placement
Segment industrial networks and restrict access to PCS Portal systems

🔍 How to Verify

Check if Vulnerable:

Check PCS Portal version in About dialog or installation directory. Versions 4.4.6, 4.5.0, 4.5.1, or 4.5.2 are vulnerable.

Check Version:

Check "About" in PCS Portal interface or examine version.txt in installation directory

Verify Fix Applied:

Verify PCS Portal version is 4.5.3 or later. Test DLL loading behavior with controlled test files.

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unexpected locations
Process Monitor logs showing DLL search path exploitation

Network Indicators:

Unusual outbound connections from PCS Portal process
Lateral movement attempts from PCS Portal system

SIEM Query:

EventID=7 OR EventID=11 AND ProcessName="PCS Portal.exe" AND (ImageLoaded contains suspicious_path OR DLL contains user_writable_path)

📊 Metadata

CVE ID: CVE-2021-38410

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 27, 2022

Last Updated: April 17, 2025

🔗 References

https://www.aveva.com/en/support-and-success/cyber-security-updates/ Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-01 Third Party Advisory,US Government Resource
https://www.aveva.com/en/support-and-success/cyber-security-updates/ Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38410, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Batch Management by Aveva

Enterprise Data Management by Aveva

Manufacturing Execution System by Aveva

Mobile Operator by Aveva

Platform Common Services by Aveva

Platform Common Services by Aveva

Platform Common Services by Aveva

Platform Common Services by Aveva

System Platform by Aveva

System Platform by Aveva

System Platform by Aveva

Work Tasks by Aveva

Work Tasks by Aveva

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict DLL search path

File system permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities