CVE-2021-44222 – This vulnerability allows unauthenticated remot... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to send arbitrary messages to the MQTT service in SIMATIC eaSie Core Package systems. Attackers can issue arbitrary requests to affected systems, potentially leading to unauthorized control or data manipulation. All users of SIMATIC eaSie Core Package versions before V22.00 are affected.

💻 Affected Systems

Products:

SIMATIC eaSie Core Package

Versions: All versions < V22.00

Operating Systems: Not specified in advisory

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration lacks MQTT service authentication

📦 What is this software?

Simatic Easie Core Package by Siemens

View all CVEs affecting Simatic Easie Core Package →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing remote code execution, data theft, or disruption of industrial processes

🟠

Likely Case

Unauthorized message injection leading to system manipulation, data corruption, or denial of service

🟢

If Mitigated

Limited impact if proper network segmentation and authentication controls are implemented

🌐 Internet-Facing: HIGH - Unauthenticated remote access allows direct exploitation from internet

🏢 Internal Only: HIGH - Even internal attackers can exploit without credentials

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct exploitation via MQTT protocol without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V22.00 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-580125.pdf

Restart Required: Yes

Instructions:

1. Download V22.00 or later from Siemens support portal
2. Backup current configuration
3. Install update following Siemens documentation
4. Restart affected systems
5. Verify MQTT authentication is enabled

🔧 Temporary Workarounds

Enable MQTT Authentication

all

Configure MQTT service to require authentication before accepting messages

Refer to Siemens documentation for specific MQTT authentication configuration

Network Segmentation

all

Restrict network access to MQTT service ports

firewall rules to block external access to MQTT ports (typically 1883/8883)

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to block all external access to MQTT ports
Enable MQTT authentication and use strong credentials if supported by current version

🔍 How to Verify

Check if Vulnerable:

Check if SIMATIC eaSie Core Package version is below V22.00 and MQTT authentication is disabled

Check Version:

Check via Siemens management interface or product documentation

Verify Fix Applied:

Verify version is V22.00 or later and MQTT service requires authentication

📡 Detection & Monitoring

Log Indicators:

Unauthenticated MQTT connection attempts
MQTT messages from unexpected sources

Network Indicators:

MQTT traffic on ports 1883/8883 without authentication
Unusual MQTT message patterns

SIEM Query:

mqtt AND (port:1883 OR port:8883) AND NOT auth_success

📊 Metadata

CVE ID: CVE-2021-44222

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-306

Published: July 12, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-580125.pdf Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-580125.pdf Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44222, you might also want to check these: