CVE-2021-43985
📋 TL;DR
CVE-2021-43985 allows an unauthenticated remote attacker to access mySCADA myPRO systems without authentication or authorization, potentially leading to unauthorized control or data exposure. Affected users include those running mySCADA myPRO versions 8.20.0 and prior, particularly in industrial control environments.
💻 Affected Systems
- mySCADA myPRO
📦 What is this software?
Mypro by Myscada
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control over the SCADA system, enabling manipulation of industrial processes, data theft, or disruption of critical operations, potentially causing safety hazards or financial loss.
Likely Case
Unauthorized access to sensitive SCADA data, configuration changes, or limited system control, leading to operational disruptions or information leakage.
If Mitigated
If isolated behind firewalls or with network segmentation, impact is reduced to internal network access only, limiting exposure to external threats.
🎯 Exploit Status
Exploitation is straightforward due to the lack of authentication, but specific exploit details may not be publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 8.21.0 or later
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-01
Restart Required: Yes
Instructions:
1. Download the latest version from the mySCADA vendor. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system to apply changes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate mySCADA myPRO systems from untrusted networks, especially the internet, to prevent remote unauthenticated access.
Firewall Rules
linuxImplement strict firewall rules to block external access to mySCADA myPRO ports, allowing only trusted IP addresses.
Example for Linux iptables: iptables -A INPUT -p tcp --dport [myPRO_port] -s [trusted_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [myPRO_port] -j DROP
🧯 If You Can't Patch
- Implement network access controls to restrict access to only authorized users and systems.
- Monitor logs and network traffic for unauthorized access attempts and review system configurations regularly.
🔍 How to Verify
Check if Vulnerable:
Check the mySCADA myPRO version; if it is 8.20.0 or earlier, it is vulnerable. Use the version check command or review system documentation.Check Version:
Consult mySCADA myPRO documentation or interface for version information; no standard command provided.Verify Fix Applied:
After patching, confirm the version is 8.21.0 or later and test that unauthenticated access is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts in authentication logs
- Unexpected connections from unknown IP addresses
Network Indicators:
- Unusual traffic to mySCADA myPRO ports from external sources
- Failed authentication requests
SIEM Query:
Example: source_ip NOT IN trusted_list AND destination_port = [myPRO_port] AND action = 'access_denied'