CVE-2021-43989
📋 TL;DR
mySCADA myPRO versions 8.20.0 and prior store passwords using the weak MD5 hashing algorithm, which allows attackers who obtain password hashes to crack them relatively easily. This affects industrial control systems using vulnerable mySCADA software, potentially compromising SCADA/HMI systems.
💻 Affected Systems
- mySCADA myPRO
📦 What is this software?
Mypro by Myscada
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to unauthorized control of industrial processes, data manipulation, or operational disruption in critical infrastructure environments.
Likely Case
Attackers gain authenticated access to SCADA/HMI systems, enabling data theft, configuration changes, or lateral movement within industrial networks.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and monitoring that detects hash extraction attempts.
🎯 Exploit Status
Exploitation requires first obtaining password hashes through other means (database access, file read vulnerabilities, etc.), then using MD5 cracking tools like hashcat or rainbow tables.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.21.0 or later
Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-01
Restart Required: Yes
Instructions:
1. Download mySCADA myPRO version 8.21.0 or later from official vendor sources. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart the myPRO service/application. 5. Force password resets for all user accounts to generate new secure hashes.
🔧 Temporary Workarounds
Enforce Strong Password Policy
allImplement complex password requirements to make MD5 cracking more difficult
Network Segmentation
allIsolate mySCADA systems from general network access
🧯 If You Can't Patch
- Implement multi-factor authentication for all mySCADA access
- Monitor for unauthorized access attempts and hash extraction activities
🔍 How to Verify
Check if Vulnerable:
Check myPRO version in application interface or configuration files. Versions 8.20.0 or earlier are vulnerable.Check Version:
Check application about dialog or configuration files for version informationVerify Fix Applied:
Verify installation of version 8.21.0 or later and confirm password hashes are no longer using MD5 (check database or configuration storage).📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts
- Unusual database access patterns
- Password hash extraction attempts
Network Indicators:
- Unusual outbound connections from mySCADA systems
- Traffic patterns suggesting hash dumping
SIEM Query:
source="mySCADA" AND (event_type="authentication_failure" OR event_type="database_access")