PatchSiren cyber security CVE debrief

CVE-2021-3749 axios CVE debrief

CVE-2021-3749 is a HIGH severity vulnerability (CVSS 7.5) affecting Subnet Solutions Inc. PowerSYSTEM Center, published by CISA on October 1, 2024. The vulnerability stems from the product's use of Axios, a popular JavaScript HTTP client library, which contains an inefficient regular expression complexity flaw. This issue can lead to denial of service conditions through resource exhaustion when processing specially crafted input. The affected versions are PowerSYSTEM Center 2020 v5.21.x and earlier. Subnet Solutions Inc. has released PowerSYSTEM Center 2020 Update 22 to address this vulnerability. As an interim mitigation, organizations can disable previous UI extensions and restrict access to browser developer tools to limit exposure of HTTP headers and XSRF tokens.

Vendor: axios
Product: PowerSYSTEM Center
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-10-01
Original CVE updated: 2024-10-01
Advisory published: 2024-10-01
Advisory updated: 2024-10-01

Who should care

Organizations operating Subnet Solutions Inc. PowerSYSTEM Center in OT/ICS environments, particularly electric utility and critical infrastructure sectors. Security teams responsible for vulnerability management in industrial control systems, network administrators managing PowerSYSTEM Center deployments, and compliance officers tracking CISA ICS advisories should prioritize this patch. The vulnerability's network accessibility and lack of authentication requirements make it particularly concerning for externally accessible or poorly segmented OT networks.

Technical summary

PowerSYSTEM Center versions 2020 v5.21.x and earlier incorporate the Axios HTTP client library, which contains a regular expression complexity vulnerability. The inefficient regex implementation in Axios can be exploited to cause excessive CPU consumption and denial of service when processing maliciously crafted input. This vulnerability is remotely exploitable without authentication (AV:N/AC:L/PR:N/UI:N) and results in high availability impact. The attack surface is primarily through HTTP-based interactions processed by the Axios library within the PowerSYSTEM Center application stack.

Defensive priority

HIGH

Recommended defensive actions

Update PowerSYSTEM Center to version 2020 Update 22 or later by accessing Settings > Overview > Version within the application, or contact Subnet Solutions Customer Service for assistance
If immediate patching is not feasible, disable usage of previous UI extensions as a compensating control
Restrict PowerSYSTEM Center Client Access Server users' ability to access browser F12 Developer Tools to limit visibility of HTTP headers and XSRF-TOKEN manipulation
Apply network segmentation for OT/ICS environments hosting PowerSYSTEM Center to limit exposure of vulnerable systems
Monitor for anomalous HTTP request patterns that may indicate attempted regular expression complexity attacks against Axios components

Evidence notes

The vulnerability description is derived from CISA CSAF advisory ICSA-24-277-02, which identifies PowerSYSTEM Center versions <=PSC_2020_v5.21.x as affected. The advisory confirms the product utilizes Axios, which is vulnerable to inefficient regular expression complexity. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates network-accessible, low-complexity attack with no privileges required, resulting in high availability impact. The vendor fix is documented as PowerSYSTEM Center 2020 Update 22.

Official resources

CISA published advisory ICSA-24-277-02 on October 1, 2024, disclosing this vulnerability in Subnet Solutions Inc. PowerSYSTEM Center. The underlying Axios vulnerability (CVE-2021-3749) was originally identified in 2021, but its impact on OT