CVE-2021-21707 Festo Didactic SE CVE debrief

Who should care

Festo Didactic MES PC operators, OT/ICS defenders, and administrators running PHP 7.3.x below 7.3.33, 7.4.x below 7.4.26, or 8.0.x below 8.0.13 in any workflow that passes filenames into XML parsing functions.

Technical summary

The supplied advisory data says certain PHP XML parsing functions URL-decode the filename parameter before use. If an attacker can supply a URL-encoded NUL character, the effective path may be truncated at the NUL and a different file may be read. The advisory maps the issue to CWE-159 and gives a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Medium. Prioritize patching or replacement where the affected PHP runtime is present on exposed or user-influenced systems, especially MES PC deployments that process filenames through XML parsers.

Recommended defensive actions

• Obtain and deploy Festo's current Factory Control Panel replacement for MES PCs, as directed in the advisory, through Festo technical support.
• Ensure any affected PHP deployment is updated to at least 7.3.33, 7.4.26, or 8.0.13, depending on the installed branch.
• Audit code and integrations that call XML parsing functions such as simplexml_load_file() so untrusted input cannot influence filenames.
• Reject URL-encoded NUL bytes and other unexpected encodings before any filename is passed to the parser.
• Reduce exposure of any service that processes external input into file paths until remediation is complete.

Evidence notes

The CISA CSAF source item for ICSA-26-027-02 and its references state the affected PHP versions, describe the URL-decoded NUL filename issue, and provide the vendor remediation path for Festo MES PC. The advisory metadata also supplies the CVSS vector and score. The supplied data shows no KEV listing.

Official resources