CVE-2021-41579
📋 TL;DR
This vulnerability in LCDS LAquis SCADA allows attackers to bypass security controls and write arbitrary files to the operating system through path traversal when a malicious project file is loaded and played. It affects users of LAquis SCADA through version 4.3.1.1085 and can lead to remote code execution.
💻 Affected Systems
- LCDS LAquis SCADA
📦 What is this software?
Scada by Laquisscada
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining code execution at the user's privilege level, potentially leading to lateral movement, data theft, or ransomware deployment.
Likely Case
Local file system manipulation leading to privilege escalation, persistence mechanisms, or data corruption.
If Mitigated
Limited impact with proper user awareness training and restricted permissions preventing file writes to critical locations.
🎯 Exploit Status
Exploit requires social engineering to get victim to load malicious file, but technical exploitation is straightforward once file is loaded.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 4.3.1.1085
Vendor Advisory: https://github.com/jacob-baines/vuln_disclosure/blob/main/vuln_2021_04.txt
Restart Required: Yes
Instructions:
1. Contact LCDS for updated version. 2. Backup current configuration. 3. Install updated version. 4. Restart SCADA services. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict Project File Loading
windowsImplement policies to only load project files from trusted sources and disable automatic execution features.
User Account Control
windowsRun SCADA software with limited user privileges to restrict file write capabilities to sensitive locations.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCADA systems from general corporate networks
- Deploy application whitelisting to prevent execution of unauthorized files and scripts
🔍 How to Verify
Check if Vulnerable:
Check LAquis SCADA version in Help > About menu. If version is 4.3.1.1085 or earlier, system is vulnerable.Check Version:
Check via GUI: Help > About in LAquis SCADA applicationVerify Fix Applied:
Verify version is greater than 4.3.1.1085 and test loading project files with path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in system directories
- Multiple failed attempts to access restricted paths
- Loading of .els project files from untrusted sources
Network Indicators:
- Unexpected file transfers to/from SCADA systems
- Anomalous network connections following project file loading
SIEM Query:
source="windows_security" AND (event_id=4656 OR event_id=4663) AND object_name="*\*.els" AND process_name="*laquis*"