CVE-2021-43931 – CVE-2021-43931 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-43931?

CVE-2021-43931 has a CVSS score of 9.8 (CRITICAL). CVE-2021-43931 is an authentication bypass vulnerability in WebHMI portal software that allows attackers to circumvent authentication mechanisms and gain unauthorized access. This affects industrial control systems using vulnerable versions of WebHMI. The vulnerability stems from a separate weakness that undermines the otherwise sound authentication algorithm.

📋 TL;DR

CVE-2021-43931 is an authentication bypass vulnerability in WebHMI portal software that allows attackers to circumvent authentication mechanisms and gain unauthorized access. This affects industrial control systems using vulnerable versions of WebHMI. The vulnerability stems from a separate weakness that undermines the otherwise sound authentication algorithm.

💻 Affected Systems

Products:

WebHMI

Versions: All versions prior to 4.1.1

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WebHMI installations regardless of operating system when using the web portal interface.

📦 What is this software?

Webhmi Firmware by Webhmi

View all CVEs affecting Webhmi Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, allowing attackers to manipulate HMI interfaces, disrupt operations, or cause physical damage to industrial processes.

🟠

Likely Case

Unauthorized access to HMI interfaces enabling monitoring of industrial processes, data exfiltration, or preparation for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts from reaching vulnerable systems.

🌐 Internet-Facing: HIGH - WebHMI portals often face the internet for remote monitoring, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability to gain unauthorized access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The authentication bypass is straightforward to exploit once the separate weakness is identified, requiring minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.1

Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03

Restart Required: Yes

Instructions:

1. Download WebHMI version 4.1.1 or later from the vendor. 2. Backup current configuration. 3. Install the update following vendor instructions. 4. Restart the WebHMI service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate WebHMI systems from untrusted networks and restrict access to authorized IP addresses only.

Access Control Lists

all

Implement firewall rules to restrict access to WebHMI ports (typically 80/443) to authorized management networks.

🧯 If You Can't Patch

Implement strict network segmentation to isolate WebHMI systems from untrusted networks
Deploy web application firewall (WAF) rules to detect and block authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check WebHMI version via the web interface or configuration files. Versions below 4.1.1 are vulnerable.

Check Version:

Check WebHMI web interface or consult configuration files for version information

Verify Fix Applied:

Verify WebHMI version is 4.1.1 or higher and test authentication functionality to ensure proper access controls are enforced.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Access from unexpected IP addresses
Authentication bypass patterns in web logs

Network Indicators:

Unauthorized access to WebHMI web ports
Traffic patterns indicating authentication bypass attempts

SIEM Query:

source="webhmi" AND (event="authentication_failure" OR event="authentication_bypass")

📊 Metadata

CVE ID: CVE-2021-43931

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: December 6, 2021

Last Updated: November 21, 2024

🔗 References

https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 Patch,Third Party Advisory,US Government Resource
https://us-cert.cisa.gov/ics/advisories/icsa-21-336-03 Patch,Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43931, you might also want to check these: