Loading

Industrial Security Advisory Index

Security vulnerabilities known to affect particular versions of Rockwell Automation products and instructions on what users can do to protect themselves.
Have a Security Concern? SIGN UP FOR ALERTS

We have moved Rockwell Automation’s security advisories to our public-facing Trust Center. Please read more about the initiative here.

The Office of Product Safety and Security (OPSS) recently relocated Rockwell Automation’s security advisories to our public-facing Trust Center. The Rockwell Automation Trust Center is a resource for customers to learn about cybersecurity at Rockwell. In the past, our security advisories were stored in the Rockwell Automation Knowledgebase index and required a login to obtain access. In migrating advisories to our new Trust Center Security Advisory index, customers and stakeholders now have more transparent access to security information for better user experience moving forward.

The new Security Advisory Index includes enhancements such as key word searchability, CSAF VEX files, and advisory filtering. Rockwell security advisories also report Known Exploit Vulnerability (KEV) data to enable customers to inform vulnerability management in their environments.

This move supports Rockwell’s commitment to security and transparency in making security information more easily accessible to customers. The legacy Knowledgebase index will remain active through mid-2024. Customers will continue to receive alerts based on their subscription preferences and can subscribe for alerts using the existing service.

Going forward the Office of Product Safety and Security (OPSS) will continue to improve the Trust Center and address customer’s needs.
Sort & Filter
CloseClose
CloseClose

Filter & Refine

Showing
-
of
Results
Caret DownDownwards caret
SearchSearch
Sort By
Last Updated Date
CVSS Score
Product
Filter Results
Showing
-
of
Results
PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability (CVE-2022-1737)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 23, 2023

Affected Products

Affected Product First Known in Firmware Version Corrected in Firmware Version
1734-AENT/1734-AENTR Series C <=7.011 7.013
1734-AENT/1734-AENTR Series B <=5.019 5.021
1738-AENT/ 1738-AENTR Series B <=6.011 6.013
1794-AENTR Series A <=2.011 2.012
1732E-16CFGM12QCWR Series A <=3.011 3.012
1732E-12X4M12QCDR Series A <=3.011 3.012
1732E-16CFGM12QCR Series A <=3.011 3.012
1732E-16CFGM12P5QCR Series A <=3.011 3.012
1732E-12X4M12P5QCDR Series A <=3.011 3.012
1732E-16CFGM12P5QCWR Series B <=3.011 3.012
1732E-IB16M12R Series B <=3.011 3.012
1732E-OB16M12R Series B <=3.011 3.012
1732E-16CFGM12R Series B <=3.011 3.012
1732E-IB16M12DR Series B <=3.011 3.012
1732E-OB16M12DR Series B <=3.011 3.012
1732E-8X8M12DR Series B <=3.011 3.012
1799ER-IQ10XOQ10 Series B <=3.011 3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency.  The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities (CVE-2023-2917, CVE-2023-2914, CVE-2023-2915)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 17, 2023

Affected Products

Affected Product Vulnerability First Known in Software Versions Corrected in Software Versions
ThinManager® ThinServer™
  • CVE-2023-2914
  • CVE-2023-2915
  • CVE-2023-2917
  • 11.0.0-11.2.6
  • 11.1.0-11.1.6
  • 11.2.0-11.2.6
  • 12.0.0-12.0.5
  • 12.1.0-12.1.6
  • 13.0.0-13.0.2
  • 13.1.0

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges.   A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability (CVE-2023-2423)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 8, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Armor™ PowerFlex® 1.003 2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Additional Resources

PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service (CVE-2023-2263)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A V13.001 V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700  DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP   connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Additional Resources

PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability (CVE-2023-2913)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in software version Corrected in software version
ThinManager® ThinServer™
  • 13.0.0 - 13.0.2
  • 13.1.0
  • 13.0.3 or later
  • 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Additional Resources

PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules (CVE-2023-3596, CVE-2023-3595)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog Series Versions
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
D <=11.003
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
C <=11.003
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
C <=11.003
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
B <=11.003
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Catalog Series Affected Versions Remediations
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
D <=11.003 Update to 11.004 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003 Update to 11.004 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
B <=11.003 Update to 11.004 or later
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001 Update to 5.002 or later
** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.
  • Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
  • Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
  • Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.
Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:
  • Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
  • disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
  • block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
  • monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:
  • Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
  • Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
  • Arbitrary writes to communication module memory or firmware.
  • Unexpected firmware updates.
  • Unexpected disabling of secure boot options.
  • Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments
Attachments

PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack (CVE-2023-2746)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Enhanced HIM v1.001 v1.002

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability (CVE-2023-2072)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 11, 2023

Affected Products

Affected Product (automated) First Known in Software Revision Corrected in Software Revision
PowerMonitor™ 1000 V4.011 V4.019

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities (CVE-2023-2639, CVE-2023-2637, CVE-2023-2638)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform
* Only if the following were installed:
  • FactoryTalk® Policy Manager v6.11.0
  • FactoryTalk® System Services v6.11.0
 6.11.00 6.30.00

Vulnerability Details

Rockwell Automation received a report from Claroty regarding three vulnerabilities in FactoryTalk® System Services. If successfully exploited, these vulnerabilities may result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version  of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2637  IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638  IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639  IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway (CVE-2021-35940, CVE-2017-12613)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Edge Gateway v1.03.00 v1.04.00

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager (CVE-2023-2778)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Transaction Manager <=v13.10 BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) vulnerability exists in the affected products. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

PN1625 | Inadequate Encryption Vulnerability in ThinManager® (CVE-2023-2443)

Revision History
Revision Number
2.0
Revision History
Version 1.0 - May 11, 2023
Version 2.0 - May 12, 2023 – Updated First Known in Software Version

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
ThinManager ® v13.0.0 and v13.0.1 v13.0.2

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize risk of vulnerability.

Additional Resources

PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities (CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product (automated) First Known in Firmware Revision Corrected in Firmware Revision
ArmorStart® ST 281E v2.004.06 N/A
ArmorStart® ST 284E all N/A
ArmorStart® ST 280E all N/A

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29031 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities (CVE-2019-16748, CVE-2020-36177)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
PanelView™ 800 - 2711R-T4T V5.011 V8.011
PanelView™ 800 - 2711R-T7T V5.011 V8.011
PanelView™ 800 - 2711R-T10T V5.011 V8.011

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.  This is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c.  WolfSSL is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive (CVE-2023-1834)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023

*The manufacturing date of the drive is stated on the product label.		 v7.13 Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default.

CVSS Base Score: 9.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected drives are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customer to implement our suggested security best practices to minimize risk of the vulnerability.

PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint® (CVE-2023-2444)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2444 IMPACT
A cross site request forgery vulnerability exists in the affected product. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.

Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk® Vantagepoint® website, enters credentials for the FactoryTalk® Vantagepoint® server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are also encouraged to implement our suggested security best practices to minimize risk associated with the vulnerability.

Additional Resources

PN1621 | Arena® Simulation – Multiple Vulnerabilities (CVE-2023-29460, CVE-2023-29462, CVE-2023-29461)

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 9, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.01

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29460 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution (CVE-2020-6967)

Revision History
Revision Number
1.3
Revision History
Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.


FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family Suggested Actions
FactoryTalk Services Platform V6.31
  • No actions are necessary:
    • Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability.
    • Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

  • Upgrade to FactoryTalk Services Platform V6.31.
  • Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
  • Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
  • For versions that predate v2.74 it is recommended to upgrade to a more recent version.
  • Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
  • If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
  • Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
  • Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

  • Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack (CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 21, 2023 – Initial Version

Executive Summary

A vulnerability was discovered by Tenable Security Researchers and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to potentially perform remote code execution on the target or crash the software.

Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

ThinManager ThinServer software Versions
6.x – 10.x
11.0.0 – 11.0.5
11.1.0 – 11.1.5
11.2.0 – 11.2.6
12.0.0 – 12.0.4
12.1.0 – 12.1.5
13.0.0-13.0.1

Vulnerability Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided, and are encouraged, when possible, to combine these mitigations with the general security guidelines to employ multiple strategies simultaneously.
CVE-2023-27855
CVE-2023-27856
CVE-2023-27857		 First Known Affected Fixed Versions
6.x – 10.x These versions are retired. Please update to the supported version.
11.0.0 – 11.0.5 Update to v11.0.6
11.1.0 – 11.1.5 Update to v11.1.6
11.2.0 – 11.2.6 Update to v11.2.7
12.0.0 – 12.0.4 Update to v12.0.5
12.1.0 – 12.1.5 Update to v12.1.6
13.0.0 – 13.0.1 Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:
  • Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.

References

PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information (CVE-2023-0027)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 16, 2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
    • Customers who do not use the AOI with a controller are not impacted.
    • The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.


CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.
Products Affected First Known Version Affected Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code 2.00.00 This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation (CVE-2020-6998)

Revision History
Revision Number
1.2
Revision History
Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:
  • CompactLogix 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998
Products Affected First Known Version Affected Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011 33.011 and later
Compact GuardLogix 5370 28.011 33.011 and later
ControlLogix 5570 Redundancy 20.054 33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products (CVE-2019-5097, CVE-2019-5096)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – January 27, 2023

Executive Summary

Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096 and CVE 2019-5097. Exploitation of these vulnerabilities could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these vulnerabilities being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number Firmware Version
1732E-8CFGM8R/A 1.012
1732E-IF4M12R/A (discontinued) 1.012
1732E-IR4IM12R/A 1.012
1732E-IT4IM12R/A 1.012
1732E-OF4M12R/A 1.012
1732E-OB8M8SR/A 1.013
1732E-IB8M8SOER 1.012
1732E-8IOLM12R 2.011
1747-AENTR 2.002
1769-AENTR 1.001
5069-AEN2TR 3.011
1756-EN2TR/C <=11.001
1756-EN2T/D <=11.001
1756-EN2TSC/B (discontinued) 10.01
1756-EN2TSC/B 10.01
1756-HIST1G/A (discontinued) <=3.054
1756-HIST2G/A(discontinued) <=3.054
1756-HIST2G/B <=5.103

CVE 2019 -5097

Catalog Number Firmware Version
ControlLogix® 5580 controllers V28 – V32*
GuardLogix® 5580 controllers V31 – V32*
CompactLogix™ 5380 controllers V28 – V32*
Compact GuardLogix 5380 controllers V31 – V32*
CompactLogix 5480 controllers V32*
1756-EN2T/D 11.001*
1756-EN2TR/C 11.001*
1765–EN3TR/B 11.001*
1756-EN2F/C 11.001*
1756-EN2TP/A 11.001*

* The vulnerability is only exploitable via the Ethernet port. It is not exploitable via backplane or USB communications.

Vulnerability Details

Rockwell Automation was made aware of two third-party vulnerabilities that affect the GoAhead embedded web server. A critical vulnerability (CVE-2019-5096) exists in the way requests are processed by the web server. If exploited, a malicious user could potentially leverage this vulnerability to execute arbitrary code   by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score:  9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score:  7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

We encourage customers to apply the recommended mitigations, provided below.
Product Suggested Actions
1732E-8CFGM8R/A Refer to Additional Mitigations
1732E-IF4M12R/A Refer to Additional Mitigations
1732E-IR4IM12R/A Refer to Additional Mitigations
1732E-IT4IM12R/A Refer to Additional Mitigations
1732E-OF4M12R/A Refer to Additional Mitigations
1732E-OB8M8SR/A Refer to Additional Mitigations
1732E-IB8M8SOER Refer to Additional Mitigations
1732E-8IOLM12R Refer to Additional Mitigations
1747-AENTR Refer to Additional Mitigations
1769-AENTR Update to 1.003 or later
5069-AEN2TR (discontinued) Migrate to the 5069-AENTR
1756-EN2T/D Update to 11.002 or later
1756-EN2TR/C Update to 11.002 or later
1756-EN3TR/B Update to 11.002 or later
1756-EN2F/C Update to 11.002 or later
1756-EN2TP/A Update to 11.002 or later
1756-EN2TSC/B Refer to Additional Mitigations
1756-HIST1G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B Update to 5.104 or later
1756-EN2F/C Update to 11.002 or later
ControlLogix 5580 controllers Update to V32.016 or later
GuardLogix 5580 controllers Update to V32.016 or later
CompactLogix 5380 controllers Update to V32.016 or later
Compact GuardLogix 5380 controllers Update to V32.016 or later
CompactLogix 5480 Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, we recommend the following compensating controls to help minimize risk of the vulnerability.
  • Disable the web server, if possible. Please review the corresponding product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
    • For 1732E, upgrade to the latest firmware to disable the web server.
  • Configure firewalls to disallow network communication through HTTP/Port 80.
Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining the security posture of your environment.

References

PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability (CVE-2022-3157)

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a denial-of-service vulnerability that impacts several versions of our GuardLogix® and ControlLogix® controllers. Exploitation of this vulnerability could potentially lead to degradation in availability of the controller and/or a possible major non-recoverable fault (MNRF).

Customers using affected software versions are encouraged to evaluate the mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • CompactLogix™ 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP™ request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected

First Known Version Affected

Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011
  • 33.013
  • 34.011 and later
Compact GuardLogix 5370 28.011
  • 33.013
  • 34.011 and later
ControlLogix 5570 Redundancy 20.054
  • 33.052
  • 34.051 and later

Reference

PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability (CVE-2022-3156)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Vulnerabilities Product Suggested Actions
CVE-2022-3156 Studio 5000 Logix Emulate Customers should upgrade to version 34.00 or later to mitigate this issue.

References

PN1611 | Product Notice 1611: MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 7.5 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

PN1612 | Product Notice 1612: MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution.  The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
CVSS Base Score: 8.2 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack (CVE-2022-3752)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers.  This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device.  Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading  to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Products Affected First Known Version Affected Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580 This vulnerability is present in firmware version 31.011 and later This issue has been mitigated in the following firmware versions:
  • 32.016 and later for versions 32
  • 33.015 and later for versions 33
  • 34.011 and later
Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480 This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability.  This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk.  Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities. (CVE-2021-20094, CVE-2021-20093, CVE-2021-41057)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 6, 2021
Revision History
Revision Number
2.0
Revision History
Version 2.0 - August 11, 2021 – Removed modified score
Revision History
Revision Number
3.0
Revision History
Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG.  These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Activation Manager v4.00 to v4.05.02
    • Includes Wibu-Systems AG CodeMeter v7.20a and earlier
  • Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.


Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-20093 Update to Factory Talk Activation Manager 4.05.03 or later
For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094 Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057 Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a.  Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled.  Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection.  Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products (CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906)

Revision History
Revision Number
5.0
Revision History
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization.  The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC

and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.



Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family Affected Versions CVE-2020-XXXXX
11896
 11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

 1.011-4.011 X X X X X X
5069-AENTR 3.011-4.011 X X X X X X
1734-AENT/R 4.001- 6.012 X X X X X X
1738-AENT/R 4.001- 6.012 X X X X X X
1732E-16CFGM12R
 1732E-8X8M12DR
 1732E-IB16M12DR
1732E-IB16M12R
 1732E-OB16M12DR
 1732E-OB16M12R		 2.011-2.012 X X X X X X
1791ES-ID2SSIR 1.001
1799ER-IQ10XOQ10 2.011 X X X X X X
1794-AENTR/XT 1.011-1.017 X X X X X X
1732E-12X4M12QCDR
 1732E-16CFGM12QCR
 1732E-16CFGM12QCWR
 1732E-12X4M12P5QCDR
 1732E-16CFGM12P5QCR
 1.011-1.015 X X X X X X
1732E-16CFGM12P5QCWR
 1.011-2.011 X X X X X X
PowerMonitor 5000 4.19 X X X X X X X
PowerMonitor 1000 4.10 X X X X X X X
ArmorStart® ST+ Motor Controller 1.001 X X X X X
Kinetix 5500 All* X X X X X X
Kinetix® 5700 All* X X X X X X
Kinetix 5100 1.001 X X X X X X
PowerFlex 755T
PowerFlex 6000T		 All* X X X X X
CIP Safety Encoder All* X X X X X

Begin Update 3.0:
Affected Product Family Affected Versions CVE
1734-AENT/R 4.001- 6.012 CVE-2020-25066
1738-AENT/R 4.001- 6.012 CVE-2020-25066
1794-AENTR
1794-AENTR/XT		 1.011- 1.017 CVE-2020-25066
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 2.011-2.012 CVE-2020-25066
1799ER-IQ10XOQ10 2.011 CVE-2020-25066
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 1.011-1.015 CVE-2020-25066
1732E-16CFGM12P5QCWR 1.011-2.011 CVE-2020-25066
PowerMonitor 5000 4.19 CVE-2020-25066
PowerMonitor 1000 4.10 CVE-2020-25066
End Update 3.0

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0


CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
CVE Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

 For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:
CVE Suggested Actions
CVE-2020-25066 Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.

ICS-CERT has provided additional network mitigations in their public disclosure.

End Update 3.0


Available Fixes:

Update 4.0 May 17, 2022
CVE Affected Product Suggested Actions
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5069-AENTR Apply firmware v4.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT		 Apply firmware v5.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914		 Kinetix 5700 Apply v13 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 PowerFlex 755T
PowerFlex 6000T		 Apply 6.005 or later for PF755T.  Apply R8 or later for PF6000T. (Download)

Update 5.0 November 1, 2022
CVE Affected Product Family Suggested Actions
CVE-2020-25066 1734-AENT/R Apply firmware 7.011 or later.
1738-AENT/R Apply firmware 6.011 or later.
1794-AENTR
1794-AENTR/XT		 Apply firmware 2.011 or later.
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 Apply firmware 3.011 or later.
1799ER-IQ10XOQ10 Apply firmware 3.011 or later.
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 Apply firmware 3.011 or later.
1732E-16CFGM12P5QCWR Apply firmware 3.011 or later.

General Security Guidelines

 Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

PN1607 | New Open SSL Vulnerability

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities (CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446)

Revision History
Revision History
Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of  multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • Stratix 5800 Switches
  • Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Vulnerabilities Suggested Actions
Stratix 5800 switches CVE-2020-3209 Update to Stratix 5800 v.17.04.01 or later
CVE 2020-3211
CVE 2020-3218
CVE 2020-3229
CVE 2020-3219
CVE-2020-3516
CVE 2021-1385
CVE-2021-1446
Stratix 5800 switches CVE-2020-3200 Update to v16.12.01 or later
Stratix 5400/5410 switches CVE-2020-3200 Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack (CVE-2022-38744)

Revision History
Revision History
Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.
Vulnerability Suggested Actions
CVE-2022-38744 Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability (CVE-2022-3158, CVE-2022-38743)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.
Mitigation A Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later.
BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products (CVE-2022-0778)

Revision History
Revision Number
1.1
Revision History
Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
  • FactoryTalk® Linx Gateway (Version 6.30 and earlier)
  • Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
  • Factory Talk View (Version 11.00 - Version 13.00)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
ThinManager This issue has been patched.  Customers should follow the patch instructions as follows:
If using v12.0.0-12.0.2 >> Download v12.0.3
If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.

If an upgrade is not possible or available, customers should consider implementing the following mitigations:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack (CVE-2022-38742)

Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation.  The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software Versions
11.0.0 – 11.0.4
11.1.0 – 11.1.4
11.2.0 – 11.2.5
12.0.0 – 12.0.2
12.1.0 – 12.1.3
13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process.  This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE-2022-38742 Versions Affected Suggested Actions
11.0.0 – 11.0.4 Update to v11.00.05
11.1.0 – 11.1.4 Update to v11.01.05
11.2.0 – 11.2.5 Update to v11.02.06
12.0.0 – 12.0.2 Update to v12.00.03
12.1.0 – 12.1.3 Update to v12.01.04
13.0.0 Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:
  • Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack (CVE-2022-2825, CVE-2022-2848)

Revision History
Revision History
Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2022-2848 Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825


If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products (CVE-2022-1096)

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30		 V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers (CVE-2021-22681)

Revision History
Revision Number
1.4
Revision History
Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.
Product Family and Version Risk Mitigation and Recommended User Actions






ControlLogix 5580 v32 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the followings mitigations are recommended:
  • Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly.
  • If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.



ControlLogix 5580 v31
  • Put the controller mode switch to “Run” mode.I
If the above cannot be deployed, the following mitigations are recommended:
  • Apply v32 or later and follow mitigations actions outlined above.
  • If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are recommended:
  • Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30
ControlLogix 5570 v18 or later
ControlLogix 5560 v16 or later
ControlLogix 5550 v16
GuardLogix 5580 v31 or later
GuardLogix 5570 v20 or later
GuardLogix 5560 v16 or later
1768 CompactLogix v16 or later
1769 CompactLogix v16 or later
CompactLogix 5480 v32 or later
Compact GuardLogix 5370 v28 or later
Compact GuardLogix 5380 v31 or later
FlexLogix 1794-L34 v16
DriveLogix 5370 v16 or later
  • Put the controller mode switch to “Run” mode.
SoftLogix 5800

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • If using v17 or later, utilize the Controller Log feature.
  • If using v20 or later, utilize Change Detection in the Logix Designer Application.
  • If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls.  Including, but not limited to:
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
  • Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
  • Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products.  CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available.  The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security.  See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks (CVE-2022-2463, CVE-2022-2465, CVE-2022-2464)

Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • ISaGRAF Workbench v6.0 though v6.6.9
  • AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Product Suggested Actions
CVE-2022-2463
CVE-2022-2464
CVE-2022-2465		 ISaGRAF Workbench Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463
CVE-2022-2464		 AAdvance-Trusted SIS Workstation Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465 AAdvance-Trusted SIS Workstation It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
  • Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)

Revision History
Revision History
Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability (CVE-2022-2179)

Revision History
Revision History
Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 v. 21.007 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack (CVE-2022-1797)

Revision History
Revision Number
1.4
Revision History
Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix™ 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix® 5580 controllers
  • GuardLogix 5580 controllers
  • CompactLogix 5370 controllers
  • Compact GuardLogix 5370 controllers
  • ControlLogix 5570 controllers
  • GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Version Affected Suggested Actions
CompactLogix 5380 Versions prior to 32.016 Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580
CompactLogix 5370 Versions prior to 33.016 Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570
ControlLogix 5570 Redundancy Versions prior to 33.053 Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.


If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1585 | Logix Controllers May Allow for Unauthorized Code Injection (CVE-2021-22681, CVE-2022-1161)

Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:
Product Structured Text
(ST)		 Ladder Diagrams
(LD)		 Function Block Diagram
(FBD)		 Sequential Function Chart (SFC) Add-On Instructions (AOI)
1768 CompactLogix X Not affected X X X
1769 CompactLogix X Not affected X X X
CompactLogix 5370 X Not affected X X X
CompactLogix 5380 X X X X X
CompactLogix 5480 X X X X X
Compact GuardLogix 5370 X Not affected X X X
Compact GuardLogix 5380 X X X X X
ControlLogix 5550 X Not affected X X X
ControlLogix 5560 X Not affected X X X
ControlLogix 5570 X Not affected X X X
ControlLogix 5580 X X X X X
GuardLogix 5560 X Not affected X X X
GuardLogix 5570 X Not affected X X X
GuardLogix 5580 X X X X X
FlexLogix 1794-L34 X Not affected X X X
DriveLogix 5730 X Not affected X X X
SoftLogix 5800 X Not affected X X X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family Risk Mitigation and Recommended User Actions









ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380
Risk Mitigation A:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Put controller mode switch into Run position
If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilize the Controller Log feature
  • Utilize Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed.  Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port
  • Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
Product Family Risk Mitigation and Recommended User Actions
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

 Risk Mitigation A:
  • Recompile and download user program code (i.e., acd)
  • Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Use the Controller Log feature
  • Use Change Detection in the Logix Designer application
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection (CVE-2022-1159)

Revision History
Revision History
Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation.  This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer.  The attacker can then intercept the compilation process and inject code into the user program.   The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)

Revision History
Revision History
Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:
  • FactoryTalk® Linx Gateway
    • Editions include embedded, basic, standard, extended distributed, professional
    • Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
  • Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
    • Chapter 4 - UA Server Endpoints - Endpoint Properties
    • Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
  • Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
    • Set system policies - Account Policy Settings
    • Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre

Revision History
Revision History
Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
Apache ActiveMQ Version 5.15.0 Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0 Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10 Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2 JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8 Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1 JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5 JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55 Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51 Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2 Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

PN1589 | Multiple Products Vulnerable to Deserialization of Data (CVE-2022-1118)

Revision History
Revision History
Version 1.0 – April 4, 2022

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Components Workbench v13.00.00 and below.
  • ISaGRAF Workbench v6.0-v6.6.9
  • Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)

Vulnerability Details

CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
Connected Components Workbench Versions 13.00 and below Customers should update to version 20.00, which mitigates this vulnerability.
ISaGRAF Workbench Versions 6.0-6.6.9 It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
SIS Workstation Versions 1.2 and below (for Trusted Controllers) It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)

Additional Links

PN1579 | Log4Shell Vulnerability Notice (CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228)

Revision History
Revision Number
2.2
Revision History
Version 1.0 – 12-Dec-2021. Initial Version

Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions


Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected

Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.


Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.
Product Affected Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5 This product is cloud-based and has been updated for all customers.
Warehouse Management 4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued) 3.03.00
Industrial Data Center 9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application 9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView All
Firewall Managed Support – Cisco FirePOWER® Thread Defense 9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.


It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data


JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability Products Affected Suggested Actions
CVE-2021-44228 Plex Industrial IoT This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time.  No user action is required.
Fiix CMMS core V5 The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02 Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
MES EIG 3.03.00 This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5 - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298.
- For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
FactoryTalk Analytics DataFlowML Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
FactoryTalk Analytics DataView 3.02 Customers are required to upgrade from 3.02 to 3.03.01.  Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0 - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571
 No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected

Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00 No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.
Note: Studio 5000 consists of Factory Talk Logix Designer and Factory Talk View Designer.  If Logix Designer is the only component required, then View Designer may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Visit links below for more mitigation techniques
ADDITIONAL LINKS

PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities (CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178)

Revision History
Revision Number
1.2
Revision History
Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier
Version 1.1 - June 9, 2021. Vulnerability description correction for CVE-2020-25176.
Version 1.0 - June 8, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
  • AADvance® Controller version 1.40 and earlier
  • ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
  • Micro800™  family, all versions

Vulnerability Details

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved.  A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Vulnerability Affected Products Suggested Mitigations
CVE-2020-25176 AADvance Controller
ISaGRAF5 Runtime
Micro800 family		 Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability.

For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone.

Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible.

For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .
CVE-2020-25178 AADvance Controller
ISaGRAF5 Runtime
Micro800 family		 Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25182 ISaGRAF5 Runtime Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184 AADvance Controller
ISaGRAF5 Runtime











Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.
CVE-2020-25180 AADvance Controller
ISaGRAF5 Runtime		 To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.

Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
  • Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
  • Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

PN1580 | GOAhead Web Server vulnerability in 1783-NATR (CVE-2019-5097, CVE-2019-5096)

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate

Executive Summary

Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Detailed Information

CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.

CVSS v3.1 Base Score: 9.8/10[Critical}

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.

CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

1783-NATR version 1.005

Risk Mitigation & User Action

Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2019-5096 Upgrade firmware to version 1.006 to mitigate this vulnerability.
CVE-2019-5097 Upgrade firmware to version 1.006 to mitigate this vulnerability.

General Security Guidelines

Network-based vulnerability mitigations for embedded products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

General mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Additional Links

PN1494 | VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block (CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259)

Revision History
Revision Number
1.0
Revision History
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
Revision History
Revision Number
1.1
Revision History

09-October-2019 - Updated Advisory

On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.

Revision History
Revision Number
1.2
Revision History

16-November-2019 - Updated Advisory

Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.

Revision History
Revision Number
1.3
Revision History
2-November-2020. Corrected suggested actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.4
Revision History
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.5
Revision History
04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR

Executive Summary

Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.

Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product Family

Catalogs

CVE-2019-12255

CVE-2019-12256

CVE-2019-12257

CVE-2019-12258

CVE-2019-12259

CVE-2019-12260

CVE-2019-12261

CVE-2019-12262

CVE-2019-12263

CVE-2019-12264

CVE-2019-12265

CompactLogix™ 5480 (EPIC controller)

5069-L4

x

x

x

x

x

x

x

x

Compact 5000™ I/O EtherNet/IP Adapter

5069-AEN2TR

x

x

x

x

x

x

x

x

ControlLogix® 5580 (+ GuardLogix®)

1756-L8

x

x

x

x

x

x

x

x

CompactLogix Compact GuardLogix 5380

5069-L3
5069-L3S2

x

x

x

x

x

x

x

x

CompactLogix 5370

1769-L3

x

x

x

x

x

x

x

x

CompactLogix GuardLogix 5370

1769-L3S

x

x

x

x

x

x

x

x

CompactLogix 5370

1769-L2

x

x

x

x

x

x

x

x

CompactLogix 5370

1769-L1

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/A

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/B

x

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2T/C

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2T/D

x

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN4TR

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2TP/A

x

x

x

x

x

x

x

x

x
ControlLogix EtherNet/IP Module 1756-EN2TR/B x x x x x x x x

ControlLogix EtherNet/IP Module

1756-EN2TR/C

x

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN3TR/B

x

x

x

x

x

x

x

x

X

ControlLogix EtherNet/IP Module

1756-EN2F/C

x

x

x

x

x

x

x

x

x

ControlLogix EtherNet/IP Module

1756-EN2TRXT

x

x

x

x

x

x

x

x

1783-NATR, Network Address Translation Router

1783-NATR

x

x

x

x

x

x

x

x

ArmorBlock® I/O Modules

1732E-8CFGM8R

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-IB8M8SOER

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-IF4M12R

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-IR4M12R

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-IT4M12R

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-OB8M8SR

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-OF4M12R

x

x

x

x

x

x

x

x

ArmorBlock I/O Modules

1732E-8IOLM12R

x

x

x

x

x

x

x

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22

x

x

x

x

x

x

x

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22A

x

x

x

x

x

x

x

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPS12

x

x

x

x

x

x

x

x

SLC™ 500 EtherNet/IP Adapter

1747-AENTR

x

x

x

x

x

x

x

x

CompactLogix E/IP Adapter

1769-AENTR

x

x

x

x

x

x

x

x

Kinetix® 6200 Servo Multi-axis Drives

2094-SE02F-M00-Sx

x

x

x

x

x

x

x

x

Kinetix® 6500 Servo Multi-axis Drives

2094-EN02D-M01-Sx

x

x

x

x

x

x

x

x

Vulnerability Details

Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.

CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.

CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.

CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.

CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.

Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.

CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.

Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.

CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.

Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.

CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.

CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.

Risk Mitigation & User Action

Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.

  1. Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
  2. Take the suggested actions for the products in the table below:
Product Catalog Numbers Suggested Actions
CompactLogix™ 5480 (EPIC Controller) 5069-L4 Upgrade to firmware version 32.013 (Download) or later.
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR Will not be patched. Suggested action is to migrate to the 5069-AENTR.
ControlLogix EtherNet/IP Module 1756-EN2TSC/A
1756-EN2TSC/B		 Will not be patched as it has been discontinued.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TP/A
1756-EN2TR/B
1756-EN2TR/C
1756-EN2F/C
1756-EN4TR		 Upgrade to firmware version 11.002 (Download) or later.
(1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later.
ControlLogix 5580 1756-L8 Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later.
GuardLogix 5580 1756-L8S Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.
CompactLogix 5380
 5069-L3 Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later.
Compact GuardLogix 5380 5069-L3S2 Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.
CompactLogix 5370 1769-L3
1769-L2
1769-L1		 Upgrade to firmware version 32.013 (Download) or later.
CompactLogix GuardLogix 5370 1769-L3S Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later.
1783-NATR, Network Address Translation Route 1783-NATR Upgrade to firmware version 1.005 (Download) or later.
Kinetix® 6200 Servo Multi-axis Drives 2094-SE02F-M00-Sx Upgrade to firmware version 1.050 (Download) or later.
Kinetix® 6500 Servo Multi-axis Drives 2094-EN02D-M01-Sx Upgrade to firmware version 3.005 (Download) or later.
SLC 500 EtherNet/IP Adapter 1747-AENTR Upgrade to firmware version 2.003 (Download) or later.
CompactLogix E/IP Adapter 1769-AENTR Upgrade to firmware version 1.002 (Download) or later.

General Security Guidelines

  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

PN1575 | Interniche Vulnerabilities present in Rockwell Automation Products – “INFRA:HALT” (CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683)

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 9, 2021

Executive Summary

Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.

Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

20-COMM-ER All Versions
ArmorStart 28xE All Versions
1715-AENTR All Versions
AADvance Safety Controller All Versions
AADvance Eurocard Controllers All Versions

Vulnerability Details

CVE-2020-25767: Malformed DNS Response could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CVE-2020-25927: Malformed DNS Response could cause a device to fault.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H


CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks

A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2020-27565: Malformed HTTP request could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35683: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35684: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source

A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31400: Malformed TCP segment could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31401: Malformed TCP header could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H


CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31228: Non-random source port could lead to a spoofed DNS response

A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated

Rockwell Automation is not impacted by this vulnerability

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Product Vulnerability Mitigation
20-COMM-ER CVE-2021-31226
CVE-2021-31227		 Disable the webserver.
See the product’s user manual for the procedure to do this.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.
  • Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1571 | MicroLogix 1100 Persistent CPU Fault Vulnerability (CVE-2021-33012)

Revision History
Revision Number
1.0
Revision History

Version 1.0 – July 9, 2021. Initial Release

Executive Summary

Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • MicroLogix 1100, all versions.

Vulnerability Details

CVE-2021-33012: Persistent fault may lead to denial of service conditions.

A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.

CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability

Suggested Actions

CVE-2021-33012

Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller.
Customers are encouraged to have a backup copy of the project in the case it is necessary to recover from an event.

A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.

Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1569 | FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability (CVE-2021-32960)