CVE-2021-21865: 
CODESYS Development System vulnerability analysis and mitigation

An unsafe deserialization vulnerability (CVE-2021-21865) exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. The vulnerability was discovered in May 2021 and publicly disclosed on July 26, 2021. The affected software is the CODESYS Development System, which is an IEC 61131-3 programming tool for industrial control and automation technology, available in both 32-bit and 64-bit versions (Talos Report).

The vulnerability exists in the BinaryFormatter.Deserialize method within the Clone() functionality. The deserialization that occurs is vulnerable to exploitation via copy/paste functionality within the Package Designer tree view. The BinaryFormatter.Deserialize method is inherently unsafe when used with untrusted input. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 HIGH (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is classified as CWE-502 (Deserialization of Untrusted Data) (NVD, Talos Report).

A successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the victim machine through a specially crafted file. The vulnerability has high potential impact on confidentiality, integrity, and availability of the affected system (NVD).

CODESYS has released patches to address this vulnerability. Users are strongly encouraged to update to a patched version of the software. The fix was coordinated between Cisco Talos and CODESYS Group to ensure the issue was resolved (Talos Report).