Loading

Rockwell Automation Security Advisories

We investigate all internally and externally reported security issues and publish security advisories for all validated security vulnerabilities. These advisories allow our customers and partners to assess the impact of the vulnerabilities and take appropriate action.
Have a Security Concern? SIGN UP FOR ALERTS VULNERABILITY POLICY

Welcome to the new Rockwell Automation Security Advisory portal. Click here to read more about our security advisory initiative.

We recently relocated all security advisories to this public-facing Security Advisory Portal, which is part of Rockwell Automation’s Trust Center. In the past, our security advisories were stored in the Rockwell Automation Knowledgebase and required authentication to obtain access. This new portal gives customers and partners easier access to advisories, which enables them to better manage the security posture of Rockwell Automation solutions.

Our new Security Advisory Portal includes search and filter functionality, enabling customers to more easily find advisories on their products. Security advisories now include Common Security Advisory Framework 2.0 (CSAF) content, a standard that supports automated security advisory ingestion and helps customers intake vulnerability management data faster. Our security advisories also include Known Exploited Vulnerability (KEV) data. The US Cybersecurity & Infrastructure Security Agency (CISA) maintains the authoritative source of vulnerabilities exploited in the wild and lists exploited vulnerabilities in the (KEV) catalog. We strongly encourage customers to use this information to prioritize remediation efforts within their vulnerability management processes.

These changes support our commitment to security and transparency. The legacy Industrial Security Advisory Index page in the Knowledgebase will remain accessible through mid-2024 to allow customers time to transition to the new portal. Customers will continue to receive email alerts based on their subscription preferences and can subscribe for alerts using the link on the Security Advisory portal.
Sort & Filter
CloseClose
CloseClose

Filter & Refine

Showing
-
of
Results
SearchSearch
Sort By
Published Date
Last Updated Date
CVSS Score
SearchSearch
Product
SearchSearch
Known Exploited Vulnerability (KEV)
Corrected
Workaround
Products Affected
SearchSearch
Filter Results
Showing
-
of
Results
High
SD1729 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability
Published Date:
July 09, 2025
Last Updated:
July 09, 2025
CVE IDs:
CVE-2025-6377 , CVE-2025-6376
Products:
Arena®
CVSS Scores (v3.1):
7.0, 7.8
CVSS Scores (v4.0):
8.4, 7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 7/9/2025
Last Updated: 7/9/2025
Revision Number: 1.0
CVSS Score: 7.1/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected  Product

CVE

First Known in Software Version

Corrected in Software Version

Software - Arena®

CVE-2025-6377

16.20.08 and earlier

16.20.09 and later

Software - Arena®

CVE-2025-6376

16.20.08 and earlier

16.20.09 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerability. The vulnerability was reported by Zero Day Initiative (ZDI).

CVE-2025-6377 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Rockwell CVSS Score:

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2025-6376 IMPACT 

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

 

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Rockwell CVSS Score

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE: CWE-20 Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

·         Security Best Practices

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Glossary

DOE File: A DOE file, or Design of Experiments file, is a document used to plan and organize an experiment efficiently. It helps in systematically arranging tests and analyzing the effects of multiple factors and their interactions on a response variable.

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Critical
SD1728 | Apache Vulnerability in FactoryTalk® Historian-ThingWorx Connection Server
Published Date:
May 14, 2025
Last Updated:
May 14, 2025
CVE IDs:
CVE-2018-1285
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 5/15/2025

Last updated: 5/15/2025

Revision Number: 1.0

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

95057C-FTHTWXCT11

<= v4.02.00

v5.00.00 and later

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2018-1285

A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.

 

CVSS 3.1 Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: no

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1727 | Local Privilege Escalation and denial-of-service Vulnerability in ThinManager®
Published Date:
April 15, 2025
Last Updated:
April 23, 2025
CVE IDs:
CVE-2025-3617 , CVE-2025-3618
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

Software - ThinManager

CVE-2025-3617

14.0.0 & 14.0.1

v14.0.2 and later

Software - ThinManager

CVE-2025-3618

v14.0.1 and earlier

v11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Zero Day Initiative (ZDI).

CVE-2025-3617 IMPACT

A privilege escalation vulnerability exists in the affected product. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 276 - Incorrect Default Permissions
Known Exploited Vulnerability (KEV) database: No

CVE-2025-3618 IMPACT

A denial-of-service vulnerability exists in the affected product. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1726 | Local Code Execution Vulnerabilities in Arena®
Published Date:
April 07, 2025
Last Updated:
April 07, 2025
CVE IDs:
CVE-2025-2285, CVE-2025-2286, CVE-2025-2287, CVE-2025-2288, CVE-2025-2293, CVE-2025-2829, CVE-2025-3285, CVE-2025-3286, CVE-2025-3287, CVE-2025-3288, CVE-2025-3289
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 4/8/2025

Last updated: 4/8/2025

Revision Number: 1.0

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

Arena®

16.20.08 and earlier

16.20.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.

CVE-2025-2285

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2286

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

 

CVE-2025-2287

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE- 457 Uninitialized Variable

 

CVE-2025-2288

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2293

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-2829

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.   If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 787 - Out of Bounds Write

 

CVE-2025-3285

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3286

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3287

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

CVE-2025-3288

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data.  If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE-125 Out of Bounds Read

 

 

CVE-2025-3289

A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  No

CWE: CWE 121 – Stack-based Buffer Overflow

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1725 | Third-party Local Code Execution Vulnerability in 440G TLS-Z
Published Date:
March 24, 2025
Last Updated:
March 24, 2025
CVE IDs:
CVE-2020-27212
Products:
440G TLS-Z
CVSS Scores (v3.1):
7.0
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: 3/25/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in Software Version

440G TLS-Z

v6.001

n/a – see mitigations

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Limit physical access to authorized personnel: Control room, cells/areas, control panels, and devices. See Chapter 4, Harden the Control System of System Security Design Guidelines

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE 2020-27212 IMPACT

A local code execution vulnerability exists in the STMicroelectronics STM32L4 devices due to having incorrect access controls. The affected product utilizes the STMicroelectronics STM32L4 device and because of the vulnerability, a threat actor could reverse protections that control access to the JTAG interface. If exploited, a threat actor can take over the device.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE:1395-Dependency of a third-party Component & CWE 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

 

CPE: cpe:2.3:h:st:stm32l431rc:-:*:*:*:*:*:*:*


Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1724 | Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities
Published Date:
March 21, 2025
Last Updated:
March 21, 2025
CVE IDs:
CVE-2025-23120
CVSS Scores (v3.1):
9.9
CVSS Scores (v4.0):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date: 03/21/25

Last updated: 03/27/25

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in Software Revision

Industrial Data Center (IDC) with Veeam

Generations 1 – 5

Refer to Remediation and Workarounds

VersaVirtual™ Appliance (VVA) with Veeam

Series A - C

Refer to Remediation and Workarounds

REMEDIATIONS AND WORKAROUNDS

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts. 

Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:

·         Support Content Notification - Support Portal – Veeam support portal

·         https://www.veeam.com/kb4724

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-23120

A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.

CVSS 3.1 Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:   No

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Critical
SD1723 | Admin Shell Access Vulnerability in Verve Asset Manager
Published Date:
March 20, 2025
Last Updated:
March 20, 2025
CVE IDs:
CVE-2025-1449
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 3/25/25

Revision Number: 1.0

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Version(s)

 

 

 

 

Corrected in Software Revision 

 

 

 

 

Verve Asset Manager 

 

 

 

 

<=1.39

 

 

 

 

V1.40

 

 

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-1449 IMPACT

A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service. 

CVSS Base Score v3.1: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 

CVSS Base Score v4.0: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-1287: Improper Validation of Specified Type of Input

 

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 

Mitigations and Workarounds 

Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Critical
SD1722 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities
Published Date:
March 07, 2025
Last Updated:
March 07, 2025
CVE IDs:
CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
CVSS Scores (v3.1):
9.3, 8.2, 7.1
CVSS Scores (v4.0):
9.4, 9.3, 8..2
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

Industrial Data Center (IDC) with VMware

Generations 1 – 4

Refer to Mitigations and Workarounds

VersaVirtual™ Appliance (VVA) with VMware

Series A & B

Refer to Mitigations and Workarounds

Threat Detection Managed Services (TDMS) with VMware

All

Refer to Mitigations and Workarounds

 

Endpoint Protection Service with RA Proxy & VMware only

All

Refer to Mitigations and Workarounds

 

Engineered and Integrated Solutions with VMware 

All

Refer to Broadcom’s advisory

 

 

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below:

·         Support Content Notification - Support Portal - Broadcom support portal

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3d-release-notes.html

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html

·         https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3s-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-22224

A Time of Check Time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:  Yes

 

CVE-2025-22225

A code execution vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with privileges within the VMX process trigger an arbitrary kernel write, leading to an escape of the sandbox.

CVSS 3.1 Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database:  Yes

 

CVE-2025-22226

An out of bounds vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with administrative privileges to leak memory from the vmx process. 

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

 

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database:  Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

Critical
SD1721 | FactoryTalk® AssetCentre Multiple Vulnerabilities
Published Date:
January 29, 2025
Last Updated:
January 29, 2025
CVE IDs:
CVE-2025-0477 , CVE-2025-0497, CVE-2025-0498
CVSS Scores (v3.1):
9.8, 7.0, 7.8
CVSS Scores (v4.0):
9.3, 7.3, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Versions

Corrected Version

FactoryTalk® AssetCentre

CVE-2025-0477

All prior to V15.00.001


V15.00.01 and later

CVE-2025-0497

V11, V12, and V13 (patch available)

V15.00.01 and later

CVE-2025-0498


V11, V12, and V13 (patch available)

V15.00.01 and later

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For CVE-2025-0477:

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   The encrypted data is stored in a table in the database. Control access to the database by non-essential users.

For CVE-2025-0497

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   Apply patches to correct legacy versions:

§  To apply the patch for LogCleanUp or ArchiveLogCleanUp download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

§  To apply patches for EventLogAttachmentExtractor or ArchiveExtractor, locate the article BF31148, download the patch files and follow the instructions.

o   Restrict physical access to the machine to authorized users.

For CVE-2025-0498

o   Update FactoryTalk® AssetCentre to v15.00.01 or later.

o   Apply patches to correct legacy versions:

§  To apply the patch for download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

o   Restrict physical access to the machine to authorized users.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

CVE-2025-0477 and CVE-2025-0497 reported to Rockwell Automation by Nestlé - Alban Avdiji. CVE-2025-0498 was found internally by Rockwell Automation during routine testing. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0477 IMPACT

An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-326: Inadequate Encryption Strength
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0497 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0498 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

Critical
SD1715 | Path Traversal and Third-party Vulnerability in DataMosaix™ Private Cloud
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0659, CVE-2020-11656
CVSS Scores (v3.1):
5.5, 9.8
CVSS Scores (v4.0):
7.0, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2025-0659

<=7.11

7.11.01

DataEdgePlatform DataMosaix™ Private Cloud

CVE-2020-11656 

<=7.09

7.11.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 CVE-2025-0659 IMPACT

A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.

CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2020-11656 IMPACT

The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1718 | 5380/5580 Denial-of-Service Vulnerability
Published Date:
January 28, 2025
Last Updated:
January 30, 2025
CVE IDs:
CVE-2025-24478
CVSS Scores (v3.1):
6.5
CVSS Scores (v4.0):
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product(s)

First Known in Software Version

Corrected in Software Version

GuardLogix 5580

Compact GuardLogix 5380 SIL3

V33.011

V33.017, V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24478 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Restrict Access to the task object via CIP Security and Hard Run.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1719 | FactoryTalk® View Machine Edition Multiple Vulnerabilities
Published Date:
January 28, 2025
Last Updated:
February 05, 2025
CVE IDs:
CVE-2025-24479, CVE-2025-24480
CVSS Scores (v3.1):
8.4, 9.8
CVSS Scores (v4.0):
8.6, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View Machine Edition

CVE-2025-24479

< V15

V15 and Patch for V12, V13, V14 (AID 1152309)

CVE-2025-24480

 

< V15

 

V15 and patch for V12, V13, V14 (AID 1152571)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24479 IMPACT

A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24480 IMPACT

A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         CVE-2025-24479:

·         Upgrade to V15.00 or apply patch in AID 1152309

·         Control physical access to the system

·         CVE-2025-24480:

·         Upgrade to V15.00 or apply patch in AID 1152571

·         Protect network access to the device

·         Strictly constrain the parameters of invoked functions

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1720 | FactoryTalk® View Site Edition Multiple Vulnerabilities
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-24481, CVE-2025-24482
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View SE

CVE-2025-24481

< V15.0

V15.0, and patch for v14 (AID 1152306)

CVE-2025-24482

< V15.0

V15.0, and patches for V12, V13, V14 (1152304)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24481 IMPACT

An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-732:  Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24482 IMPACT

A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For CVE-2025-24481:

·         Upgrade to V15 or apply patch. Answer ID 1152306

·         Protect physical access to the workstation

·         Restrict access to port 8091 at the network or workstation

·         For CVE-2025-24482:

·         Upgrade to V15 or apply patch. Answer ID 1152304.

·         Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1716 | KEPServer Denial-of-Service Vulnerability Found During Pwn2Own Competition
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2023-3825
Products:
KEPServer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Versions

Fixed Version

KEPServer

CVE-2023-3825

6.0 - 6.14.263

6.15

VULNERABILITY DETAILS

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding this vulnerability discovered by Security Researchers of Claroty Team82 during the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-3825 IMPACT

KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         NVD - CVE-2023-3825

·         PTC KEPServerEX | CISA

·         CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023

High
SD1717 | PowerFlex® 755 Credential Exposure Vulnerability
Published Date:
January 28, 2025
Last Updated:
January 28, 2025
CVE IDs:
CVE-2025-0631
Products:
PowerFlex 755
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Fixed Version

PowerFlex® 755

<=16.002.279

v20.3.407

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0631 IMPACT

A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-319: Cleartext Transmission of Sensitive Information
Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1714 | PowerMonitor™ 1000 Remote Code Execution and denial-of-service Vulnerabilities via HTTP protocol
Published Date:
December 17, 2024
Last Updated:
December 17, 2024
CVE IDs:
CVE-2024-12371 , CVE-2024-12372 , CVE-2024-12373
CVSS Scores (v3.1):
9.8, 9.8, 9.8
CVSS Scores (v4.0):
9.3, 9.3, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: December 17, 2024

Last updated: December 17, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Products

Affected firmware revision

Corrected in firmware revision

PM1k 1408-BC3A-485

<4.020

4.020

PM1k 1408-BC3A-ENT

<4.020

4.020

PM1k 1408-TS3A-485

<4.020

4.020

PM1k 1408-TS3A-ENT

<4.020

4.020

PM1k 1408-EM3A-485

<4.020

4.020

PM1k 1408-EM3A-ENT

<4.020

4.020

PM1k 1408-TR1A-485

<4.020

4.020

PM1k 1408-TR2A-485

<4.020

4.020

PM1k 1408-EM1A-485

<4.020

4.020

PM1k 1408-EM2A-485

<4.020

4.020

PM1k 1408-TR1A-ENT

<4.020

4.020

PM1k 1408-TR2A-ENT

<4.020

4.020

PM1k 1408-EM1A-ENT

<4.020

4.020

PM1k 1408-EM2A-ENT

<4.020

4.020

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. The following vulnerabilites were reported by Vera Mens of Claroty Research - Team82. 

 

CVE-2024-12371 IMPACT

A device takeover vulnerability exists in the affected product. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset.

CVSS 3.1 Base Score: 9.8/10 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-420: Unprotected Alternate Channel

 

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution vulnerability exists in the affected product. The vulnerability results in corruption of the heap memory which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-122: Heap-based Buffer Overflows

 

CVE-2024-12373 IMPACT

A denial-of-service vulnerability exists in the affected product. The vulnerability results in a buffer-overflow, potentially causing denial-of-service.

CVSS 3.1 Base Score: 9.8/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·       Security Best Practices

High
SD1713 | Multiple Code Execution Vulnerabilities in Arena®
Published Date:
December 04, 2024
Last Updated:
December 19, 2024
CVE IDs:
CVE-2024-11155 , CVE-2024-11156 , CVE-2024-11158 , CVE-2024 -12130 , CVE-2024-11157, CVE-2024-12672, CVE-2024-11364, CVE-2024-12175
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Revision Number: 2

CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Software - Arena

 

CVE-2024-11155

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2044-11156

 

All versions 16.20.03 and prior

V16.20.06 and later

CVE-2024-11158

 

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2024 -12130

All versions 16.20.05 and prior

V16.20.06 and later

 

CVE-2024-11157

 

All versions 16.20.06 and prior

V16.20.07 and later

 

CVE-2024-12175

 

All versions 16.20.06 and prior

V16.20.07 and later

Software – Arena® 32 bit

CVE-2024-12672

 

All versions 16.20.07 and prior

n/a – see mitigations

CVE-2024-11364

 

All versions 16.20.06 and prior

V16.20.07 and later 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write”  code execution vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11158 IMPACT

An “uninitialized variable”  code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12130 IMPACT

An “out of bounds read” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11157

A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.  

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write  
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12672

A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor. 

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No 

 

CVE-2024-11364

Another “uninitialized variable” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12175

Another “use after free” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

  •       Do not load untrusted Arena® model files.
  •       Hold the control key down when loading files to help prevent the VBA file stream from loading.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1712 | Third Party Remote Code Execution Vulnerability in Verve Reporting
Published Date:
November 14, 2024
Last Updated:
November 14, 2024
CVE IDs:
CVE-2024-37287
CVSS Scores (v3.1):
7.2
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: 11/14/24

Last updated: 11/14/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Version(s) Corrected in Software Revision
Verve Reporting <v1.39 V1.39

VULNERABILITY DETAILS 

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-37287 IMPACT

Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.

CVSS Base Score v3.1: 7.2/10

CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.6/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-1395: Dependency on Vulnerable Third-Party Component

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability. 

  1. Restrict Access to Built-in Verve Account
    • Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
    • Change the password for the built-in "verve" account if it has been shared.
  2. Restrict Privileges for Other Accounts
    • Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
      • all-all
      • feature-all-all
  3. Disable Machine Learning
    • Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
      1. Connect to the Reporting server via SSH or terminal.
      2. Copy the Elasticsearch configuration override to the working directory.
        1. docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
      3. Add the following line and save.
        1. xpack.ml.enabled: false
      4. Disable Verve Reporting from the Verve Software Manager.
      5. Update the Elasticsearch configuration override.
        1. docker config rm elasticsearchymloverride 
          docker config create elasticsearchymloverride ./elasticsearch.override.yml
      6. Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
      7. Delete the copy of the Elasticsearch configuration override. 
        1. rm elasticsearch.override.yml

 

High
SD1711 | Input Validation Vulnerability exists in Arena® Input Analyzer
Published Date:
November 14, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6068
Products:
Arena® Input Analyzer
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 11/14/2024

Revision Number: 1.0

CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Version

Corrected in Software Version

Arena® Input Analyzer


16.20.03 and prior

16.20.04

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6068 IMPACT

A memory corruption vulnerability exists in the affected products when parsing DFT files.  Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector:  CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

High
SD1709 | FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-37365
Products:
FactoryTalk View Machine Edition
CVSS Scores (v3.1):
7.3
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: November 12th, 2024

Last updated: November 12th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Revision

Corrected in Software Revision

FactoryTalk View ME

>= V14; when using default folders privileges

V15

 

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

·         To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

·         Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

·         Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”.   Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10 

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Critical
SD1710 | FactoryTalk® Updater Multiple Vulnerabilities
Published Date:
November 12, 2024
Last Updated:
November 12, 2024
CVE IDs:
CVE-2024-10943, CVE-2024-10944, CVE-2024-10945
Products:
FactoryTalk Updater
CVSS Scores (v3.1):
9.1, 8.4, 7.3
CVSS Scores (v4.0):
9.1, 7.1, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

 

FactoryTalk® Updater – Web Client

 

CVE-2024-10943

v4.00.00

v4.20.00

 

FactoryTalk® Updater – Client

 

CVE-2024-10944

All version

V4.20.00

 

FactoryTalk® Updater – Agent

 

CVE-2024-10945

All version

 

V4.20.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-10943 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10944 IMPACT

A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Control access to the server where FactoryTalk® Updater is running.

·         Click the ‘Scan’ button, which will update the database

CVE-2024-10945 IMPACT

A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical
SD1708 | ThinManager® Multiple Vulnerabilities
Published Date:
October 25, 2024
Last Updated:
October 25, 2024
CVE IDs:
CVE-2024-10386, CVE-2024-10387
Products:
FactoryTalk ThinManager
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Revision Number:
1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024 
Last Updated: 10/25/2024 
Revision Number: 1.0 
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Version(s) Corrected Version(s)
ThinManager® 

11.2.0-11.2.9

12.0.0-12.0.7

12.1.0-12.1.8

13.0.0-13.0.5

13.1.0-13.1.3

13.2.0-13.2.2

14.0.0

 

11.2.10 

12.0.8 

12.1.9 

13.0.6

13.1.4

13.2.3

14.0.1

Available here: ThinManager Downloads | ThinManager ®

 

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

  • If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .

  • Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High
SD1707 | ControlLogix Vulnerable to Denial of Service via CIP Messages
Published Date:
October 10, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-6207
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: October 10, 2024 
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7 
 

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 First Known in firmware revision Corrected in firmware revision
ControlLogix® 5580 V28.011 V33.017, V34.014, V35.013, V36.011 and later
ControlLogix® 5580 Process V33.011 V33.017, V34.014, V35.013, V36.011 and later
GuardLogix 5580 V31.011  V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5380 V28.011  V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 2 V31.011 V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 3 V32.013 V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5480 V32.011 V33.017, V34.014, V35.013, V36.011 and later
FactoryTalk® Logix Echo  V33.011 V34.014, V35.013, V36.011 and later

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.

CVE-2024-6207 IMPACT

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device.  If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation.  To recover the controllers, a download is required which ends any process that the controller is running. 

CVSS Base Score v3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 

 

CVSS Base Score v4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability. 

 

 ADDITIONAL RESOURCES

High
SD1705 | PowerFlex 6000T CIP Security denial-of-service Vulnerability
Published Date:
October 07, 2024
Last Updated:
October 07, 2024
CVE IDs:
CVE-2024-9124
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 10/8/2024

Last Updated: 10/8/2024 

Revision Number: 1.0 
CVSS Score: 8.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 Affected Software Version Corrected in Software Version
Drives - PowerFlex 6000T 8.001, 8.002, 9.001 10.001

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9124 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.2 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  Improper Check for Unusual or Exceptional Conditions 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1706 | Logix Controllers Vulnerable to Denial-of-Service Vulnerability
Published Date:
October 07, 2024
Last Updated:
October 10, 2024
CVE IDs:
CVE-2024-8626
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Revision Number:
2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated:  October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
CompactLogix 5380 controllers v33.011<

  • v33.015 and later for versions 33

  • v34.011 and later
Compact GuardLogix® 5380 controllers v33.011<
CompactLogix 5480 controllers v33.011<
ControlLogix 5580 controllers v33.011<
GuardLogix 5580 controllers v33.011<
1756-EN4TR v3.002

  • 4.001 and later

Mitigations and Workarounds 

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. 

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover. 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  

CVSS Base Score: 7.5/10 (high) 

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption 

ADDITIONAL RESOURCES

Medium
SD1704 | Improper Authorization Vulnerability in Verve® Asset Manager
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-9412
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 10/8/24

Last updated: 10/8/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8, v4.0: 8.4

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Versions

 

 

 

 

Corrected in software version

 

 

 

 

Verve® Asset Manager 

 

 

 

 

All versions < 1.38

 

 

 

 

V1.38

 

 

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 

 CVE-2024-9412 IMPACT

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.  

 

CVSS Base Score v3.1: 6.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

 

CVSS Base Score v4.0: 8.4/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-842: Placement of User into Incorrect Group 

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.  

  • The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.

 

 ADDITIONAL RESOURCES

·       JSON CVE-2024-9412

 

Critical
SD1703 | DataMosaix™ Private Cloud third-party Vulnerabilities
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-14855, CVE-2019-17543, CVE-2019-18276, CVE-2019-19244, CVE-2019-989, CVE-2019-9923
CVSS Scores (v3.1):
7.5, 8.1, 7.8, 7.5, 9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7, 9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

 

 

High
SD1702 | Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud
Published Date:
October 04, 2024
Last Updated:
October 04, 2024
CVE IDs:
CVE-2024-7952, CVE-2024-7953, CVE-2024-7956
CVSS Scores (v3.1):
7.5, 8.8, 8.1
CVSS Scores (v4.0):
7.5, 8.7, 7.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 10/8/24 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 Affected Versions 
 Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud <=7.07 v7.09

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data. 

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE:  Exposure of Sensitive Information to an unauthorized Actor 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

 
A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project. 

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  Missing Authorization 
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT 

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project. 

CVSS 3.1 Base Score: 8.1 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE:  Incorrect Authorization 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1701 | RSLogix™ 5 and RSLogix 500® Remote Code Execution Via VBA Embedded Script
Published Date:
September 16, 2024
Last Updated:
October 14, 2024
CVE IDs:
CVE-2024-7847
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: September 19, 2024

Last updated:  September 19, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected software version

Corrected in software version

RSLogix 500®

All

n/a

RSLogix™ Micro Developer and Starter

All

n/a

RSLogix™ 5

 All
 n/a

 

Mitigations and Workarounds 

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible. 

·       Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.

·       Save project files in a Trusted® location where only administrators can modify it and verify file integrity.

·       Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82. 

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention.  This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVE-2024-7847 IMPACT

CVSS Base Score 3.1: 7.7/10

CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS Base Score 4.0: 8.8/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-345 (Insufficient verification of data authenticity)

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

High
SD1699 | 5015-U8IHFT Denial-of-Service Vulnerability via CIP Message
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45825
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

 Affected Software Versions

Corrected in Software Version

5015-U8IHFT

V1.011 and V1.012

V2.011

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45825 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Block communication to CIP class 883 if it is not required

·         Block communication to CIP class 67 if it is not required

·         Enforce proper network segmentation and routing controls

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45825

Critical
SD1698 | FactoryTalk® Batch View™ Authentication Bypass Vulnerability via shared secrets
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45823
CVSS Scores (v3.1):
8.1
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

 Affected Software Versions

Corrected in Software Version

FactoryTalk® Batch View™

2.01.00

3.00.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45823 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45823

High
SD1700 | ThinManager® Code Execution Vulnerability
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2024-45826
CVSS Scores (v3.1):
6.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

ThinManager®

V13.1.0 - 13.1.2

V13.2.0 - 13.2.1

V13.1.3

V13.2.2

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45826 IMPACT

Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.

CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45826

High
SD1697 | AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
CVE IDs:
CVE-2023-31102, CVE-2023-40481
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

AADvance® Trusted® SIS Workstation

2.00.01 and earlier

2.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

 A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Do not archive or restore projects from unknown sources.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2023-31102

·         JSON CVE-2023-40481

Critical
SD1696 | FactoryTalk® View Site Edition Remote Code Execution Vulnerability via Lack of Input Validation
Published Date:
September 12, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-45824
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

FactoryTalk® View Site Edition

V12.0, V13.0, V14.0

Patches available here

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45824 IMPACT

A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Navigate to the following link and apply patches, directions are on the link page

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2024-45824

High
SD1695 | Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®
Published Date:
September 11, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-7960 , CVE-2024-7961
CVSS Scores (v3.1):
7.6, 7.2
CVSS Scores (v4.0):
8.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/24 
Revision Number: 1.0 
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION 

Affected Product  Affected Software Version  Corrected in Software Version 
Pavilion8®            <V5.20  V6.0 and later  

 

VULNERABILITY DETAILS 

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities. 

CVE-2024-7960 IMPACT 

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.  

CVSS 3.1 Base Score: 7.6 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

CVSS 4.0 Base Score: 8.8 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N 

CWE:  Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No 

CVE-2024-7961 IMPACT 

A path traversal vulnerability exists in the affected product.  If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.   

CVSS 3.1 Base Score: 7.2 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

CVSS 4.0 Base Score: 8.6 
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 

CWE:  Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
Known Exploited Vulnerability (KEV) database: No 

Mitigations and Workarounds 
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES 

High
SD1694 | OptixPanel™ Privilege Escalation Vulnerability via File Permissions
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-8533
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024

Last Updated: 9/12/2024 

Revision Number: 1.0 
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Software Version

 

 

 

 

Corrected in Software Version

 

 

 

 

2800C OptixPanel™ Compact

 

 

 

 

4.0.0.325

 

 

 

 

4.0.2.116

 

 

 

 

2800S OptixPanel™ Standard

 

 

 

 

4.0.0.350

 

 

 

 

4.0.2.123

 

 

 

 

Embedded Edge Compute Module

 

 

 

 

4.0.0.347

 

 

 

 

4.0.2.106

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-8533 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.

CVSS 3.1 Base Score: 7.5 
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.7 
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-269: Improper Privilege Management 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply security best practices

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

 

High
SD1693 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Vulnerable to DoS vulnerability via CIP
Published Date:
September 10, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-6077
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 9/12/2024

Updated Date: 9/12/2024 

Revision Number: 1.0

CVSS: v3.1: 7.4, 4.0: 8.3

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Family 

 

 

 

 

First Known in Software/Firmware Version

 

 

 

 

Corrected in Software/Firmware Version

 

 

 

 

CompactLogix 5380

 

 

 

 

 

 

 

v.32 .011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

CompactLogix 5380 Process 

 

 

 

 

v.33.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

Compact GuardLogix 5380 SIL 2 

 

 

 

 

v.32.013

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

Compact GuardLogix 5380 SIL 3 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

CompactLogix 5480 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

ControlLogix® 5580 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

ControlLogix® 5580 Process 

 

 

 

 

v.33.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

GuardLogix 5580 

 

 

 

 

v.32.011

 

 

 

 

v33.017, v34.014, v35.013, v36.011 and later

 

 

 

 

1756-EN4

 

 

 

 

v2.001

 

 

 

 

v6.001 and later

 

 

 

VULNERABILITY DETAILS

 Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6077 IMPACT

A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover. 

CVSS Base Score: 7.5 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 
CWE-20:  Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations. 

  • Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

    JSON CVE-2024-6077

Critical
SD1692 | ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities
Published Date:
August 21, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7986, CVE 2024-7987, CVE 2024 -7988
CVSS Scores (v3.1):
5.5, 7.8, 9.8
CVSS Scores (v4.0):
6.8, 8.5, 9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

ThinManager® ThinServer™

11.1.0-11.1.7
11.2.0-11.2.8
12.0.0-12.0.6
12.1.0-12.1.7
13.0.0-13.0.4
13.1.0-13.1.2
13.2.0-13.2.1

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

 

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2024-7986

·       JSON CVE 2024-7987

·       JSON CVE 2024 -7988

High
SD1689 | AADvance® Standalone OPC-DA Server Code Execution Vulnerability via Vulnerable Component
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2018-1285, CVE-2006-0743
CVSS Scores (v3.1):
7.5, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: Please see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.  

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

AADvance® Standalone OPC-DA Server

v2.01.510

v2.02 and later

VULNERABILITY DETAILS

CVE IMPACT

An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:

  • CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
    • CVSS Base Score: 7.5
    • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 
    • CWE-20:  Improper Input Validation 
    • Known Exploited Vulnerability (KEV) database: None
  • CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
    • CVSS Base Score: 5.3 
    • CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 
    • CWE-134:  Use of Externally Controlled Format String
    • Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

High
SD1687 | Authentication Bypass Vulnerability in DataMosaix™
Published Date:
August 13, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6078
CVSS Scores (v3.1):
9.1
CVSS Scores (v4.0):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 8/13/2024

Updated Date: 8/13/2024 
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in Software Version Corrected in Software Version
DataMosaix™ Private Cloud

V7.07 <

v7.09 or later 

 

Mitigations and Workarounds

  • Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade. 

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud. 

CVSS Base Score: 9.1  
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N 
CWE-287:  Improper Authentication 
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

High
SD1686 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Controller Denial-of-Service Vulnerability via Input Validation
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7515
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: September 13, 2024

Revision Number: 2.0

September 13, 2024 - Updated Affected Product and Solutions Table

CVSS Score: v3.1 8.6/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in firmware revision Corrected in firmware revision

CompactLogix 5380

v28.011

v34.014, v35.013, v36.011 and later

ControlLogix 5580

v28.011

 v34.014, v35.013, v36.011 and later

GuardLogix 5580

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL2

v31.011

v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL3

V32.013

v34.014, v35.013, v36.011 and later

CompactLogix 5480 

V32.011

v34.014, v35.013, v36.011 and later

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the following risk mitigations, if possible:

  • If PTP messages are not used, block at the network level, port UDP 319/320

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7515 IMPACT

A denial-of-service vulnerability exists in the affected products. A malformed PTP management packet can cause a major nonrecoverable fault in the controller.

CVSS 3.1 Base Score: 8.6 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-20:  Improper Input Validation

Known Exploited Vulnerability (KEV) database: None

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

High
SD1688 | FactoryTalk® View Site Edition Code Execution Vulnerability via File Permissions
Published Date:
August 13, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-7513
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: 8/13/2024 
Last Updated: 8/27/2024 
Revision Number: 2
CVSS Score: v3.1: 8.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product
 First Known in Software Version
 Corrected in Software Version
FactoryTalk® View SE

13.0

N/A

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply security best practices, if possible.

  • By default, all HMI server projects are saved in the HMI projects folder on the HMI server computer located at C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects. To enhance security and prevent unauthorized modifications to these projects, you can tighten the Windows folder's security settings on the HMI server computer by following these steps:
    • Remove the INTERACTIVE group from the folder’s security properties.
    • Add specific users or user groups and assign their permissions to this folder as needed.
    • If you assign read-only permission to those users or user groups, they can only view and will not be able to write to project files. Users with read-only permission can still test run and run the FactoryTalk® View SE client.

  • In Version 14: Open FactoryTalk® View Studio -> Help -> FactoryTalk® View SE Help -> In the Help file -> Security -> “HMI projects folder”

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization. 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7513 IMPACT

A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

CVSS 3.1 Base Score: 8.8 
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource 
Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

High
SD1690 | GuardLogix/ControlLogix 5580 Controller denial-of-service Vulnerability via Malformed Packet Handling
Published Date:
August 13, 2024
Last Updated:
September 13, 2024
CVE IDs:
CVE-2024-40619
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: September 13, 2024

Revision Number: 2..0

September 13th, 2024 – Updated “Corrected in Firmware Versions”

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.  

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Version

Corrected in Firmware Version

ControlLogix® 5580

v34.011

v34.014, v35.011 and later

GuardLogix 5580

v34.011

v34.014, v35.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.  

CVE-2024-40619 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE-754:  Improper Check for Unusual or Exceptional Conditions 

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities. 

High
SD1691 | Pavilion8® Unencrypted Data Vulnerability via HTTP protocol
Published Date:
August 13, 2024
Last Updated:
November 13, 2024
CVE IDs:
CVE-2024-40620
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: August 13, 2024 
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product First Known in software version Corrected in software revision
Pavilion8® v5.20 v6.0

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

CVE-2024-40620 IMPACT

A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CVSS 3.1 Base Score: 7.4/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CSVV 4.0 Base Score: 5.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE-311: Missing Encryption of Sensitive Data

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

Medium
SD1684 | Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port
Published Date:
August 12, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE 2024 7567
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date: 8/13/24

Last Updated: 8/13/2024

Revision Number: 1.0

CVSS Score: v3.1: 5.3/10, v4.0: 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments. 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

PLC - Micro850/870 (2080 -L50E/2080 -L70E)

v20.011

v22.011

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7567 IMPACT

A denial-of-service vulnerability exists via the CIP/Modbus port in the affected products. If exploited, the CIP/Modbus communication may be disrupted for short duration.

CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption


Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·       CVE-2024-7567

Medium
SD1683 | DLL Hijacking Vulnerability Exists in Emulate3D™
Published Date:
August 12, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2024-6079
CVSS Scores (v3.1):
6.7
CVSS Scores (v4.0):
5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date 8/13/2024

Updated Date: 8/13/2024

Revision Number: 1.0

CVSS: v3.1: 6.7 , 4.0: 5.4

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

 Emulate3D™

 17.00.00.13276

17.00.00.13348

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6079 IMPACT

A vulnerability exists in the affected product, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack.

CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score: 5.4
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N


CWE-610:  Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations , if possible:

·       Update to the corrected software version, 17.00.00.13348.

·       For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

·       JSON CVE-2024-6079

High
SD1682 | Chassis Restrictions Bypass Vulnerability in Select Logix Devices
Published Date:
July 31, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-6242
CVSS Scores (v3.1):
8.4
CVSS Scores (v4.0):
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: August 1, 2024

Last updated: August 29th, 2024 

Revision Number: 2.0

    August 29, 2024 - Updated Affected Products and Solution Chart  for 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR

CVSS Score: 3.1: 8.4/10, 4.0:/8.5

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix® 5580 (1756-L8z)

V28

 V32.016, V33.015, V34.014,
V35.011 and later

GuardLogix® 5580  (1756-L8zS)

V31

V32.016, V33.015, V34.014,
V35.011 and later

1756-EN4TR

V2

V5.001 and later

1756-EN2T , Series A/B/C

1756-EN2F, Series A/B

1756-EN2TR, Series A/B

1756-EN3TR, Series A

v5.007(unsigned)/v5.027(signed)

No fix for Series A/B/C. Upgrade to Series D.

No fix for Series A/B. Upgrade to Series C.

No fix for Series A/B. Upgrade to Series C.

No fix for Series A. Upgrade to Series B.

1756-EN2T, Series D

1756-EN2F, Series C

1756-EN2TR, Series C

1756-EN3TR, Series B

1756-EN2TP, Series A

1756-EN2T/D: V10.006

1756-EN2F/C: V10.009

1756-EN2TR/C: V10.007

1756-EN3TR/B: V10.007

1756-EN2TP/A: V10.020

V12.001  and later

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. Claroty reported the following vulnerability. 

CVE-2024-6242 IMPACT                                                                                                                                       

A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.  

CVSS Base Score v3.1: 8.4/10 

CVSS Vector: CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

CVSS Base Score v4.0: 7.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

CWE-420: Unprotected Alternate Channel

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization  to generate more environment-specific prioritization.

Mitigations and Workarounds 

Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible. 

·       Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

·       Security Best Practices

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

·       JSON CVE 2024-6242

·       System Security Design Guidelines

High
SD1681 | Privilege Escalation Vulnerability in Pavilion8®
Published Date:
July 16, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024-6435
CVSS Scores (v3.1):
8.8
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: July 16, 2024 
Last updated: July 16, 2024

Revision Number: 1.0

CVSS Score: v3.1: 8.8/10, v4.0: 8.7/10

 

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Software Version(s)

 

 

 

 

Corrected in Software Revision

 

 

 

 

Pavilion8® 

 

 

 

 

v5.15.00 
v5.15.01 
v5.16.00 
v5.17.00 
v5.17.01

 

 

v5.20.00

 

 

 

 

v6.0

 

 

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

  • Limit access to only users who need it. 

  • Periodically review user access and privileges to confirm accuracy. 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.  

CVE-2024-6435 IMPACT

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.  

CVSS 3.1 Base Score: 8.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 ADDITIONAL RESOURCES

High
SD1680 | Major nonrecoverable fault in 5015 – AENFTXT
Published Date:
July 10, 2024
Last Updated:
November 20, 2024
Products:
CVE-2024-6089
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Major nonrecoverable fault in 5015 – AENFTXT  

Published Date: 7/16/2024

Updated Date: 7/16/2024 

Revision Number: 1.0

CVSS: v3.1: 7.5, 4.0: 8.7

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware revision

 

 

 

 

Corrected in firmware revision

 

 

 

 

5015 - AENFTXT

 

 

 

 

v2.011

 

 

 

 

v2.012

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6089 IMPACT

An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.  

CVSS Base Score: 8.7/10 
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Base Score: 7.5/10 
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 
CWE-20:  Improper Input Validation 
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Update to the corrected firmware revision, v2.012.

  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

High
SD1679 | Input Validation Vulnerability exists in the SequenceManager™ Server
Published Date:
July 10, 2024
Last Updated:
September 27, 2024
CVE IDs:
CVE-2024-6436
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: July 16, 2024

Last updated: October 1, 2024

Revision Number: 2.0

October 1, 2024 - Updated CVE Number.

CVSS Score: v3.1 7.5/10, v4.0 8.7/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in software version

SequenceManager™

<v2.0

v2.0 or later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6436 IMPACT

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE: CWE-428: Unquoted Search Path or Element

 

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

·       Security Best Practices

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

·       JSON CVE-2024-6436

 

Medium
SD1678 | Unsecured Private Keys in FactoryTalk® System Services
Published Date:
July 02, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-6325 , CVE-2024-6236
CVSS Scores (v3.1):
6.5, 5.9
CVSS Scores (v4.0):
6.0, 1.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: July 11, 2024

Last updated: July 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 6.5/10, 5.9/10 ; v4.0: 6.0/10, 1.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version

Corrected Version

FactoryTalk® System Services (installed via FTPM)

v6.40

V6.40.01

FactoryTalk® Policy Manager (FTPM)

v6.40

V6.40.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6325 IMPACT

The v6.40 release of FactoryTalk® Policy Manager allowed the private keys to be insecurely stored with read and execute privileges for the Windows group, ‘Everyone’. These keys are used to generate digital certificates and pre-shared keys. This vulnerability could allow a malicious user with access to the machine to obtain private keys. If obtained, a malicious user could impersonate resources on the secured network. For customers using FactoryTalk® Policy Manager v6.40 who mitigated CVE-2021-22681 and CVE-2022-1161 by implementing CIP security and did not update to the versions of the software that contain the remediation, this vulnerability could allow a threat actor to exploit CVE-2022-1161 and CVE-2022-1161.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

 

CVSS Base Score v4.0: 6.0/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

 

CVE-2024-6236 IMPACT

 

An exposure of sensitive information vulnerability exists in the FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.

 

CVSS Base Score v3.1: 5.9/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 1.8/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are encouraged to implement the following steps to invalidate the existing vulnerable private keys/digital certificates and regenerate new secure ones.

·       Clear CIP Security configurations from devices and from FactoryTalk® Policy Manager

·       Update FactoryTalk® System Services and FactoryTalk® Policy Manager to v6.40.01

·       Redeploy CIP Security Policy 

Detailed steps are below (FactoryTalk System Services (FTSS) is updated through the installation of FactoryTalk Policy Manager (FTPM)

1)      Remove deployed security policy from all devices using FactoryTalk® Policy Manager (FTPM):

a.       Open FTPM.

b.       Document all Zone’s security settings and all Conduit’s settings as you must re-create them after updating FTPM.

c.       Change all devices port’s Policies > Zone values to the “Unassigned” Zone.

d.       Delete all zones and conduits.

e.       Deploy (CIP).  Ensure that all endpoints were reset successfully.

f.        [migrating from v6.40 only] Deploy (OPC UA).  Ensure all endpoints were reset successfully.

                                                               i.      For any OPC UA clients, perform whatever steps are required by those clients to remove the previously applied certificates.

g.       Close FTPM

2)      Delete the \FTSS_backup folder:

a.       c:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

3)      Delete the \keystore folder:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore

4)      Delete any backup copies of the \keystore folder.  They will be named the same as the \keystore folder but with a suffix appended to it, like:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ keystore_source_2024_04_25_12_25_38_541566

5)      Delete the PSKs.json file:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json

6)      Delete any backup copies of the PSKs.json file.  They will be named the same as the PSKs.json file but with a suffix appended to it, like:

a.       c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ PSKs.json_source_2024_05_17_07_38_25_200356

7)      Install FactoryTalk® Policy Manager version 6.40.01.

a.       Restart the computer when prompted at the end of the install.

8)      Open FTPM.  FTPM will attempt to connect to the FactoryTalk® System Services web server before proceeding.

9)      If FTPM could not successfully connect to FactoryTalk® System Services (FTSS), it is because the FTSS service hasn’t started yet.  It will eventually start or else you can start the FTSS service manually in Windows Services.

10)   Re-create the original Zones.

11)   Move the devices from the unassigned Zone back to their original zones.

12)   Re-create the original Conduits.

13)   Deploy (CIP endpoints).

14)   [migrating from v6.40 only] Deploy (OPC UA endpoints).

a.       For any OPC UA client endpoints, manually apply the newly generated certificates from this deploy.

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

·       Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE 2024 6325

·       JSON CVE 2024 6326

 

Critical
SD1677 | ThinManager® ThinServer™ Improper Input Validation Vulnerabilities
Published Date:
June 20, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-5988 , CVE-2024-5989, CVE-2024-5990
CVSS Scores (v3.1):
9.8, 7.5
CVSS Scores (v4.0):
9.3, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

 

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here)

ThinManager® ThinServer™

2024-5988

2024-5989

 

 

 

 

 

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

·       Update to the corrected software versions via the ThinManager® Downloads Site

·       Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

·       Security Best Practices

 

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.  

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.   

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device. 

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 ADDITIONAL RESOURCES

·       CVE-2024-5988 JSON

·       CVE-2024-5989 JSON

·       CVE-2024-5990 JSON

 

Critical
SD1676 | FactoryTalk® View SE v11 Information Leakage Vulnerability via Authentication Restriction
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37368
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION 

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE

 

 

 

 

v11.0

 

 

 

 

v14.0

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37368 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.

 

CVSS 3.1 Base Score: 9.8/10  

 

CSVV 4.0 Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1675 | FactoryTalk® View SE v12 Information Leakage Vulnerability via Authentication Restriction
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37367
CVSS Scores (v3.1):
9.8
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE

 

 

 

 

v12.0

 

 

 

 

V14.0 and later

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37367 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project.  This action is allowed without proper authentication verification.

 

 

CSVV 4.0 Base Score: 8.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N 

CWE-287: Improper Authentication

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

 

High
SD1674 | FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2024-37369
CVSS Scores (v3.1):
7.8
CVSS Scores (v4.0):
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.8/10, v4.0: 8.5/10 

 

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version 

 

 

 

 

FactoryTalk® View SE

 

 

 

 

V12.0

 

 

 

 

v14

 

 

 

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

  • Use the Secure Install option when installing FactoryTalk® Services Platform.

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities. 

 

CVE-2024-37369 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

 

CVSS 3.1 Base Score: 7.8/10  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

CSVV 4.0 Base Score: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

CWE-732: Incorrect Permission Assignment for Critical Resource

 

Known Exploited Vulnerability (KEV) database: No

 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

 

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.    

High
SD1673 | Multicast Request Causes major nonrecoverable fault on Select Controllers
Published Date:
June 12, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE 2024-5659
CVSS Scores (v3.1):
7.4
CVSS Scores (v4.0):
8.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: June 11, 2024

Last updated: June 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, 4.0: 8.3/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware revision

 

 

 

 

Corrected in firmware revision

 

 

 

 

ControlLogix® 5580

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later

 

 

 

 

GuardLogix 5580 

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

1756-EN4

 

 

 

 

V4.001

 

 

 

 

V6.001 and later

 

 

 

 

CompactLogix 5380 

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

Compact GuardLogix 5380

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later  

 

 

 

 

CompactLogix 5480

 

 

 

 

V34.011

 

 

 

 

V34.014, V35.013, V36.011 and later 

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port If exploited, the availability of the device would be compromised.

 

CVE-2024-5659 IMPACT

CVSS Base Score v3.1: 7.4/10

CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score v4.0: 8.3/10

CVSS Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: CWE 670 – Always Incorrect Flow Implementation

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply the risk mitigations, where possible.

·       Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.

·       Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique

·       Security Best Practices

 

 ADDITIONAL RESOURCES

·       JSON CVE 2024 - 5659

SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats
Published Date:
May 21, 2024
Last Updated:
December 03, 2024
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity.

Consistent with Rockwell Automation’s guidance for all devices not specifically designed for public internet connectivity (for example, cloud and edge offerings), users should never configure their assets to be directly connected to the public-facing internet. Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

More information on attacks on public-internet-exposed assets, including information on how to identify exposed assets and disconnect them from the public internet, is available in these documents from Rockwell Automation and CISA (Cybersecurity and Infrastructure Security Agency):

In addition to disconnecting assets from the public internet or if disconnection is not feasible, Rockwell Automation also urges its customers to follow the security best practices outlined in this document: Rockwell Automation | Security Best Practices [login required].

Customers should be aware of the following related CVE’s and ensure mitigations are in place, where possible.

CVE No.

Alert Code

(ICSA)

Advisory Name and Link, URL

2021-22681

21-056-03

CISA | Rockwell Automation Logix Controllers (Update A)

https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03

2022-1159

22-090-07

CISA | Rockwell Automation Studio 5000 Logix Designer

https://www.cisa.gov/news-events/ics-advisories/icsa-22-090-07

2023-3595

23-193-01

CISA | Rockwell Automation Select Communication Modules

https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01

2023-46290

23-299-06

CISA | Rockwell Automation FactoryTalk Services Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-06

2024-21914

24-086-04

CISA | Rockwell Automation FactoryTalk View ME

https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04

2024-21915

24-046-16

CISA | Rockwell Automation FactoryTalk Service Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-16

2024-21917

24-030-06

CISA | Rockwell Automation FactoryTalk Service Platform

https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-06
High
SD1671 | FactoryTalk® Remote Access™ has Unquoted Executables
Published Date:
May 07, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3640
CVSS Scores (v3.1):
7.7
CVSS Scores (v4.0):
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: May 14, 2024

Last updated: May 14, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 7.0

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® Remote Access™ (FTRA)

 

 

 

 

v13.5.0.174

 

 

 

 

V13.6  

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-3640 IMPACT

An unquoted executable path exists in the affected products, possibly resulting in remote code execution if exploited. While running the FTRA installer package, the executable path is not properly quoted, which could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this vulnerability. 

 

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428: Unquoted Search Path or Element

 

CVSS Base Score v4.0: 7.0/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices below, where possible. 

 

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

 

 

High
SD1670 | Datalog Function within in FactoryTalk® View SE contains SQL Injection Vulnerability
Published Date:
May 07, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-4609
CVSS Scores (v3.1):
7.6
CVSS Scores (v4.0):
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Published Date:  May 15, 2024

Last updated: May 22, 2024  

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

 

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in software version

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® View SE 

 

 

 

 

< 14

 

 

 

 

V11,12,13, 14  or later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.   

A vulnerability exists in the FactoryTalk® View SE Datalog function that could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. If exploited, the attack could result in information exposure, revealing sensitive information. Additionally, a threat actor could potentially modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.    

 

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 

 

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environmentally specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 

 

ADDITIONAL RESOURCE

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

High
SD1669 | FactoryTalk® Historian SE vulnerable to AVEVA-2024-001 and AVEVA-2024-002
Published Date:
May 06, 2024
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-31274, CVE-2023-34348
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: May 9, 2024

Last updated: May 9, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

 

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

Affected Versions

 

 

 

 

Corrected in software version

 

 

 

 

FactoryTalk® Historian SE

 

 

 

 

< v9.0

 

 

 

 

v9.01 and later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2023-31274 IMPACT

FactoryTalk® Historian SE utilizes the AVEVA PI Server, which contains a vulnerability, which could allow an unauthenticated user to cause a partial denial-of-service condition in the PI Message Subsystem of a PI Server by consuming available memory. This vulnerability exists in FactoryTalk® Historian SE versions 9.0 and earlier. Exploitation of this vulnerability could cause FactoryTalk® Historian SE to become unavailable, requiring a power cycle to recover it. 

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

 

CVE-2023-34348 IMPACT

FactoryTalk® Historian SE use the AVEVA PI Server, which contains a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition. This vulnerability exists in FactoryTalk® Historian SE versions 9.0 and earlier.  Exploitation of this vulnerability could cause FactoryTalk® Historian SE to become unavailable, requiring a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

 

Known Exploited Vulnerability (KEV) database:  No

 

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds 

Users using the affected software are encouraged to install FactoryTalk® Historian SE version 9.01 or higher as soon as feasible. For customers unable to upgrade to v9.0, defensive measures are available in the Rockwell article.  

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.  

 

 ADDITIONAL RESOURCES

 

Critical
SD1668 | FactoryTalk® Production Centre Vulnerable to Apache ActiveMQ Vulnerability
Published Date:
April 18, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2023-4664
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: April, 16, 2024

Last updated: April 16, 2024

Revision Number: 1.0

CVSS Score: 9.8 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

FactoryTalk® Production Centre

10.0

11.03.00

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

 

CVE-2023-4664 IMPACT

Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution.  The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath. 

CVSS Base Score: 9.8

CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 502 Deserialization of Untrusted Data

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible. 

  • ·      Update to the version that fixes the issue as detailed in this article.
  • ·       Follow the security recommendations in PN1592 for FTPC.
  • ·       Implement Security Best Practices

 ADDITIONAL RESOURCES

·       JSON CVE-2023-46604

Critical
SD1666 | ControlLogix® and GuardLogix® Vulnerable to major nonrecoverable fault due to Invalid Header Value
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-3493
CVSS Scores (v3.1):
8.6
CVSS Scores (v4.0):
9.2
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: April 11, 2024

Last updated: May 2, 2024

Revision Number: 2.0

May 2, 2024 - Added to products to Affected Products and Solutions section

CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in Firmware Revision

 

 

 

 

Corrected in Firmware Revision

 

 

 

 

ControlLogix® 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

GuardLogix 5580

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

Compact GuardLogix 5380

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

1756-EN4TR

 

 

 

 

V5.001

 

 

 

 

V6.001 and later

 

 

 

 

ControlLogix 5580 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

 

 

CompactLogix 5380 Process

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011and later

 

 

 

 

CompactLogix 5480

 

 

 

 

V35.011

 

 

 

 

V35.013, V36.011 and later

 

 

VULNERABILITY DETAILS  

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-3493 IMPACT

 A specific malformed fragmented packet type (fragmented packets may be generated automatically by devices that send large amounts of data) can cause a major nonrecoverable fault (MNRF). If exploited, the affected product will become unavailable and require a manual restart to recover it. Additionally, an MNRF could result in a loss of view and/or control of connected devices. 

CVSS Base Score: 8.6/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

 

CVSS Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

 

Mitigations and Workarounds  

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.     

SD1667 | Input/output Device Vulnerable to Major Nonrecoverable Fault
Published Date:
April 11, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2424
Products:
5015-AENFTXT
CVSS Scores (v3.1):
7.5
CVSS Scores (v4.0):
8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: April 11, 2024

Last updated: April 17, 2024

Revision Number: 2.0

    4/17/24 - Updated Affected Products and Solutions 

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

 

AFFECTED PRODUCTS AND SOLUTION

 

 

Affected Product

 

 

 

 

First Known in firmware version

 

 

 

 

Corrected in firmware version

 

 

 

 

5015-AENFTXT

 

 

 

 

  v2.011

 

 

 

 

v2.012 and later

 

 

 

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. 

CVE-2024-2424 IMPACT

An input validation vulnerability exists among the affected products that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.  

 

CVSS 3.1 Base Score: 7.5/10 

CVSS Vector: CVSS: 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS: 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N 

CWE: Improper Input Validation

 

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds 

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.  

 

High
SD1665 | Arena® Simulation Vulnerabilities
Published Date:
March 26, 2024
Last Updated:
October 16, 2024
CVE IDs:
CVE-2024-21912, CVE-2024-21913, CVE-2024-2929, CVE-2024-21918, CVE-2024-21919, CVE-2024-21920
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8, 4.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: March 26, 2024
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

Arena® Simulation Software

CVE-2024-21912

16.00

16.20.03

CVE-2024-21913

CVE-2024-2929

CVE-2024-21918

CVE-2024-21919

CVE-2024-21920

16.00
  • This issue is within the Microsoft dynamic library link file and will not be remediated.  
  • Do not open untrusted files from unknown sources to mitigate the issue

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 

CVE-2024-21912 IMPACT

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which triggers an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-2929 IMPACT

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21918 IMPACT

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21919 IMPACT

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

 

CVE-2024-21920 IMPACT

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Do not open untrusted files from unknown sources.
  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High
SD1664 | Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527
Published Date:
March 21, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-2425, CVE-2024-2426, CVE-2024-2427
Products:
PowerFlex® 527
CVSS Scores:
7.5, 8.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

PowerFlex® 527

 v2.001.x <

n/a

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2425 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, the web server will crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2426 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper input validation in the device. If exploited, a disruption in the CIP communication will occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0:  8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

CVE-2024-2427 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 527 due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

There is no fix currently for this vulnerability. Users using the affected software are encouraged to apply risk mitigations and security best practices, where possible.

  • Implement network segmentation confirming the device is on an isolated network.
  • Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
  • Security Best Practices

 ADDITIONAL RESOURCES

Medium
SD1663 | FactoryTalk® View ME on PanelView™ Plus 7 Boot Terminal lack Security Protections
Published Date:
March 21, 2024
Last Updated:
December 03, 2024
CVE IDs:
CVE-2024-21914
Products:
FactoryTalk® View ME
CVSS Scores (v3.1):
5.3
CVSS Scores (v4.0):
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: March 21, 2024
Last updated: March 21, 2024
Revision Number: 1.0
CVSS Score: v3.1 5.3/10, v.4.0 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View ME

<v14

V11

V12

V13

V14

VULNERABILITY DETAILS

Rockwell Automation used CVSS v3.1 and v4.0 scoring system to assess the following vulnerabilities.

CVE-2024-21914 IMPACT

A vulnerability exists in the affected product that allows a malicious user to restart the PanelView™ Plus 7 terminal remotely without security protections. If the vulnerability is exploited, it could lead to the loss of view or control of the PanelView™ product.

CVSS 3.1 Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 4.0 Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE: Improper security protection for remote restart action

Known Exploited Vulnerability (KEV) database:  No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.  

 ADDITIONAL RESOURCES

Critical
SD1662 | FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality
Published Date:
February 14, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024-21915
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: February 15, 2024
Last updated:  February 15, 2024
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Service Platform

             <v2.74

Update to V2.74 or later


VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-21915 IMPACT

A privilege escalation vulnerability exists in FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

ADDITIONAL RESOURCES

High
SD1661 | Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers
Published Date:
January 30, 2024
Last Updated:
November 20, 2024
CVE IDs:
CVE-2024 21916
Products:
ControlLogix® 5570, GuardLogix® 5570, ControlLogix® 5570 Redundancy
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date: January 30, 2024

Last updated: 1.0

Revision Number: 1.0

CVSS Score: 8.6

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware

Corrected in Firmware

ControlLogix® 5570

20.011

v33.016, 34.013, 35.012, 36.011 and later

GuardLogix® 5570

20.011

v33.016, 34.013, 35.012, 36.011 and later

ControlLogix® 5570 Redundancy

20.054_kit1

v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024 21916 IMPACT

A denial-of-service vulnerability exists in the affected products, listed above. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF .

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

Critical
SD1660 | FactoryTalk® Service Platform Service Token Vulnerability
Published Date:
January 30, 2024
Last Updated:
December 04, 2024
CVE IDs:
CVE-2024 21917
Products:
FactoryTalk® Service Platform
CVSS Scores (v3.1):
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

FactoryTalk® Service Platform Service Token Vulnerability

Published Date: January 30, 2024

Last updated: March 5th, 2024 *Updated Mitigations and Workarounds*

Revision Number: 1.0

CVSS Score: 9.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Service Platform

<= v6.31

v6.40 or later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Customers updating to v6.40 or later should do one of the following steps:

  1. Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.

  2. If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier, do not alter the System Communication Type setting from AUTO or DCOM.
    Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)

IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Ensure both security policies are set to Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.

Customers who are unable to update to v6.40 or later should apply the following mitigations:

VULNERABILITY DETAILS

Rockwell Automation used CVSS v3.1 scoring system to assess the following vulnerabilities.

CVE - 2024 21917 IMPACT

A vulnerability exists in the affected product that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory. This is due to the lack of digital signing between the FTSP service token and directory.  If exploited, a malicious user could potentially retrieve user information and modify settings without any authentication.

CVSS Base Score: 9.8/10 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 347 Improper Verification of Cryptographic Signature

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

High
SD1659 | LP30/40/50 and BM40 Operator Interface Vulnerable to CODESYS Vulnerabilities
Published Date:
January 24, 2024
Last Updated:
December 01, 2024
CVE IDs:
CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381 , CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385 , CVE-2022-47392 , CVE-2022-47393
Products:
LP30 Operator Panel, LP40 Operator Panel, BM40 Operator Panel, LP50 Operator Panel
CVSS Scores (v3.1):
6.5, 8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: January 25, 2024

Last updated: January 25, 2024

Revision Number: 1.0

CVSS Score: 8.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)

First Known in Software Revision

Corrected in Software Revision

LP30 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

LP40 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

BM40 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

LP50 Operator Panel

Codesys versions before V3.5.19.0

Codesys 3.5.19.2

 

VULNERABILITY DETAILS

The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.

These products have the following vulnerabilities:

 

CVE-2022-47378 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-1288: Improper Validation of Consistency within Input

 

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

 

CVE-2022-47379 IMPACT

CVSS Base Score: 8.8/10 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787: Out-of-bounds Write

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380, CVE-2022-47381 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

 

CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpAppForce

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47392 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-1288: Improper Validation of Consistency within Input

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

 

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47393 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-822: Untrusted Pointer Dereference

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
  • Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CODESYS Advisory

High
SD1658 | SD1658 | SIS Workstation and ISaGRAF Workbench Code Execution and Privilege Escalation
Published Date:
November 15, 2023
Last Updated:
November 15, 2023
CVE IDs:
CVE-2015-9268
Products:
Safety Instrumented System Workstation, ISaGRAF® Workbench
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

Safety Instrumented System Workstation

<= v1.2

              v2.00 and later

ISaGRAF® Workbench

<= v6.6.9

              v6.06.10 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2015-9268 IMPACT

Due to the third-party vulnerabilities in Nullsoft Scriptable Install System (NSIS), the SIS Workstation and ISaGRAF® Workbench installer and uninstaller have unsafe implicit linking against Version.dll. Therefore, there is no protection mechanism in the wrapper function that resolves the dependency at an appropriate time during runtime. Also, the SIS workstation and ISaGRAF® Workbench uninstaller uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which the uninstaller can be replaced by a malicious program.

CVSS Base Score: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: 

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

 ADDITIONAL RESOURCES

Critical
SD1657 | FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities
Published Date:
November 15, 2023
Last Updated:
November 19, 2024
CVE IDs:
CVE-2023-38545, CVE-2023-3935
Products:
FactoryTalk Activation Manager
CVSS Scores (v3.1):
7.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)

First Known in Software Version

Corrected in Software Version

FactoryTalk Activation Manager

V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)

5.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-38545 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVSS Base Score: 7.9

CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2023-3935 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
  • For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

ADDITIONAL RESOURCES

High
PN1656 | FactoryTalk® View Site Edition Vulnerable to Improper Input Validation
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46289
Products:
FactoryTalk® View Site Edition
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® View Site Edition V11.0 v11.0 & v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1655 | FactoryTalk® Services Platform Elevated Privileges Vulnerability
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-46290
Products:
FactoryTalk® Services Platform
CVSS Scores (v3.1):
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform v2.74 V2.80 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1654 | Arena® Simulation Buffer Overflow Vulnerabilities
Published Date:
October 31, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-27854, CVE-2023-27858
Products:
Arena® Simulation Software
CVSS Scores (v3.1):
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1653 | Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)
Published Date:
October 18, 2023
Last Updated:
December 10, 2024
CVE IDs:
CVE-2023-20198
Products:
Stratix® 5200, Stratix® 5800
CVSS Scores (v3.1):
7.2, 10
Known Exploited Vulnerability (KEV):
Yes
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

Published Date: 10/17/2023
Last updated:  02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed.  While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer.  This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices.  Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently.  This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI.  Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First known in firmware revision

Corrected in Firmware Revision

Stratix® 5200, 5800

All versions running Cisco IOS XE Software with the Web UI feature enabled

17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.  

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

  • To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
  • Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

  • Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device.  Detailed instructions on how to create the Access Control List is in QA67053.
  • When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

High
PN1652 | PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure
Published Date:
October 17, 2023
Last Updated:
October 17, 2023
CVE IDs:
CVE-2023-29464
Products:
FactoryTalk® Linx
CVSS Scores:
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk® Linx v6.20 v6.20 & v6.30 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-29464 IMPACT

FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.

CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

Critical
PN1649 | PN1649 | Select Logix Communication Modules Vulnerable to Email Object Buffer Overflow
Published Date:
October 09, 2023
Last Updated:
October 09, 2023
CVE IDs:
CVE-2023-2262
Products:
ControlLogix Communication - Ethernet/IP
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.  This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .

Affected Products

Affected Catalog Series Affected Firmware Version Corrected in Firmware Version
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A, B, C <=5.008 and 5.028 Update to 5.009 and 5.029 or later
D <=11.002 Update to >=11.003 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.002 Update to >=11.003 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 and 5.028 Update to 5.009 and 5.029 or later
C <=11.002 Update to >=11.003 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 and 5.028 Update to 5.009 and 5.029 or later
B <=11.002 Update to >=11.003 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1648 | PN1648 | Connected Components Workbench™ Vulnerable to CefSharp Vulnerabilities
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999
Products:
Connected Components Workbench (CCW)
CVSS Scores:
9.6, 8.8, 8.8, 8.8, 6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product Affected Versions Corrected in Software Version
Connected Components Workbench™ (CCW) Versions Prior to R21 R21 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVSS Base Score: 9.6/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)
 
Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.

CVSS Base Score: 6.5/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database:  Yes

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1647 | PN1647 | PanelView™ 800 Vulnerable to CVE-2017-12652
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2017-12652
Products:
PanelView 800, PanelView Component Refresh (PanelView 800)
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 - September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product First Known in firmware revision Corrected in firmware revision
2711R-T10T v3.011 v6.011
2711R-T7T
2711R-T4T

Vulnerability Details

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 9.8/10
CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Known Exploited Vulnerability (KEV) database:  No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
 

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Medium
PN1646 | PN1646 | KEPServer Enterprise Vulnerable to Multiple Vulnerabilities
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447
Products:
KEPServe Enterprise
CVSS Scores:
6.3, 6.3, 4.7, 5.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
KEPServer Enterprise v11.00 Expected November 2023

Vulnerability Details

Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation

CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials.

CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments. 

Additional Resources

Critical
PN1645 | PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-2071
Products:
FactoryTalk View Machine Edition
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Revision Corrected in Revision
FactoryTalk View Machine Edition v12.0 v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-2071 IMPACT

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets.  The device has the functionality, through a CIP class, to execute exported functions from libraries.  There is a routine that restricts it to execute specific functions from two dynamic link library files.  By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1642 | PN1642 | Pavilion8® Security Misconfiguration Vulnerability
Published Date:
October 05, 2023
Last Updated:
October 05, 2023
CVE IDs:
CVE-2023-29463
Products:
ControlLogix Communications - Ethernet/IP
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
Pavilion8® v5.17 v5.20

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-29463 IMPACT

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.


If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

  1. Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
  2. Search for the text jmx-console-action-handler and delete the below lines from web.xml file:

      <servlet>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
      </servlet>
      <servlet-mapping>
        <servlet-name>jmx-console-action-handler</servlet-name>
        <url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
      </servlet-mapping>
     
  3. Save the changes and close the file.
  4. Restart Pavilion8® Console Service.
  5. Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.

Note: <FQDN> is your fully qualified domain name used for the Console login.

Additional Resources

High
PN1639 | PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability
Published Date:
August 23, 2023
Last Updated:
August 23, 2023
CVE IDs:
CVE-2022-1737
Products:
1732E-OB16M12DR Series B, 1732E-IB16M12R Series B, 1734-AENTR , 1732E-OB16M12R Series B, 1732E-IB16M12DR Series B, 1732E-8X8M12DR Series B, 1738-AENTR Series A , 1732E-12X4M12P5QCDR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1734-AENT, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-16CFGM12R Series B, 1799ER-IQ10XOQ10 Series B, 1732E-16CFGM12P5QCWR Series B, 1732E-16CFGM12QCWR Series A
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 23, 2023

Affected Products

Affected Product First Known in Firmware Version Corrected in Firmware Version
1734-AENT/1734-AENTR Series C <=7.011 7.013
1734-AENT/1734-AENTR Series B <=5.019 5.021
1738-AENT/ 1738-AENTR Series B <=6.011 6.013
1794-AENTR Series A <=2.011 2.012
1732E-16CFGM12QCWR Series A <=3.011 3.012
1732E-12X4M12QCDR Series A <=3.011 3.012
1732E-16CFGM12QCR Series A <=3.011 3.012
1732E-16CFGM12P5QCR Series A <=3.011 3.012
1732E-12X4M12P5QCDR Series A <=3.011 3.012
1732E-16CFGM12P5QCWR Series B <=3.011 3.012
1732E-IB16M12R Series B <=3.011 3.012
1732E-OB16M12R Series B <=3.011 3.012
1732E-16CFGM12R Series B <=3.011 3.012
1732E-IB16M12DR Series B <=3.011 3.012
1732E-OB16M12DR Series B <=3.011 3.012
1732E-8X8M12DR Series B <=3.011 3.012
1799ER-IQ10XOQ10 Series B <=3.011 3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency.  The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

Critical
PN1638 | PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities
Published Date:
August 17, 2023
Last Updated:
August 17, 2023
CVE IDs:
CVE-2023-2917, CVE-2023-2914, CVE-2023-2915
Products:
ThinManager ThinServer Input Validation Vulnerabilities
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 17, 2023

Affected Products

Affected Product Vulnerability First Known in Software Versions Corrected in Software Versions
ThinManager® ThinServer™
  • CVE-2023-2914
  • CVE-2023-2915
  • CVE-2023-2917
  • 11.0.0-11.2.6
  • 11.1.0-11.1.6
  • 11.2.0-11.2.6
  • 12.0.0-12.0.5
  • 12.1.0-12.1.6
  • 13.0.0-13.0.2
  • 13.1.0

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges.   A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Additional Resources

High
PN1637 | PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability
Published Date:
August 08, 2023
Last Updated:
August 08, 2023
CVE IDs:
CVE-2023-2423
Products:
Armor PowerFlex Critical Fault
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 8, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Armor™ PowerFlex® 1.003 2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Additional Resources

High
PN1634 | PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2263
Products:
2198 Kinetix 5700 Drive
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A V13.001 V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700  DC Bus Power Supply Series A is vulnerable to CIP fuzzing.  The new ENIP   connections cannot be established if impacted by this vulnerability,  which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Additional Resources

High
PN1635 | PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability
Published Date:
July 18, 2023
Last Updated:
July 18, 2023
CVE IDs:
CVE-2023-2913
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 18, 2023

Affected Products

Affected Product First Known in software version Corrected in software version
ThinManager® ThinServer™
  • 13.0.0 - 13.0.2
  • 13.1.0
  • 13.0.3 or later
  • 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Additional Resources

High
PN1633 | PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules
Published Date:
July 12, 2023
Last Updated:
July 12, 2023
CVE IDs:
CVE-2023-3596, CVE-2023-3595
Products:
Comms Modules
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog Series Versions
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
D <=11.003
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
C <=11.003
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
C <=11.003
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
B <=11.003
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Catalog Series Affected Versions Remediations
1756-EN2T
1756-EN2TK
1756-EN2TXT		 A,B,C <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
D <=11.003 Update to 11.004 or later
1756-EN2TP
1756-EN2TPK
1756-EN2TPXT		 A <=11.003 Update to 11.004 or later
1756-EN2TR
1756-EN2TRK
1756-EN2TRXT		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN2F
1756-EN2FK		 A, B <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
C <=11.003 Update to 11.004 or later
1756-EN3TR
1756-EN3TRK		 A <=5.008 & 5.028
  • Update to 5.029 or later for signed versions (**recommended).
  • Update to 5.009 for unsigned versions.
B <=11.003 Update to 11.004 or later
1756-EN4TR
1756-EN4TRK
1756-EN4TRXT		 A <=5.001 Update to 5.002 or later
** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.
  • Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
  • Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
  • Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.
Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:
  • Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
  • disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
  • block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
  • monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:
  • Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
  • Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
  • Arbitrary writes to communication module memory or firmware.
  • Unexpected firmware updates.
  • Unexpected disabling of secure boot options.
  • Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments
Attachments

Critical
PN1630 | PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack
Published Date:
July 11, 2023
Last Updated:
July 11, 2023
CVE IDs:
CVE-2023-2746
Products:
PowerFlex 7000, PowerFlex 6000
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Enhanced HIM v1.001 v1.002

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings and, as a result, is vulnerable to a Cross Site Request Forgery (CSRF) attack. To exploit this vulnerability, a malicious user would have to convince a user to click on an untrusted link through a social engineering attack or successfully perform a Cross Site Scripting Attack (XSS). Exploitation of a CSRF could potentially lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigation, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

High
PN1631 | PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability
Published Date:
July 11, 2023
Last Updated:
July 11, 2023
CVE IDs:
CVE-2023-2072
Products:
1408 PowerMonitor 1000
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 11, 2023

Affected Products

Affected Product (automated) First Known in Software Revision Corrected in Software Revision
PowerMonitor™ 1000 V4.011 V4.019

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting vulnerabilities within the web page of the product.  The vulnerable pages do not require privileges to access and can be injected with code by an attacker which could be used to leverage an attack on an authenticated user resulting in remote code execution and potentially the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of the vulnerability.

Additional Resources

High
PN1627 | PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2023-2639, CVE-2023-2637, CVE-2023-2638
Products:
FactoryTalk Policy Manager, FactoryTalk System Services, FactoryTalk Services Platform
CVSS Scores:
4.1, 5.9, 7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
FactoryTalk® Services Platform
* Only if the following were installed:
  • FactoryTalk® Policy Manager v6.11.0
  • FactoryTalk® System Services v6.11.0
 6.11.00 6.30.00

Vulnerability Details

Rockwell Automation received a report from Claroty regarding three vulnerabilities in FactoryTalk® System Services. If successfully exploited, these vulnerabilities may result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation used the latest version  of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2637  IMPACT
Hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This vulnerability may allow a local, authenticated non-admin user to generate an invalid administrator cookie giving them administrative privileges to the FactoryTalk® Policy Manger database. This may allow the threat actor to make malicious changes to the database that will be deployed when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 7.3
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.
CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638  IMPACT
Improper authorization in FTSSBackupRestore.exe may lead to the loading of malicious configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This vulnerability may allow a local, authenticated non-admin user to craft a malicious backup archive, without password protection, that will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 5.9
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639  IMPACT
Origin validation error may lead to information disclosure. The underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network does not verify that the origin of the communication is from a legitimate local client device. This may allow a threat actor to craft a malicious website that, when visited, will send a malicious script that can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If successfully exploited, this would allow a threat actor to receive information including whether FactoryTalk® Policy Manager is installed and potentially the entire security policy. User interaction is required for this vulnerability to be successfully exploited.

CVSS Base Score: 4.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

High
PN1628 | PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2021-35940, CVE-2017-12613
Products:
FactoryTalk Edge Gateway
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Edge Gateway v1.03.00 v1.04.00

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.  The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2021-35940 IMPACT
An out of bounds array read vulnerability was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVSS Base Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigation below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1629 | PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager
Published Date:
June 13, 2023
Last Updated:
June 13, 2023
CVE IDs:
CVE-2023-2778
Products:
FactoryTalk Transaction Manager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 13, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Transaction Manager <=v13.10 BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) vulnerability exists in the affected products. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Additional Resources

High
PN1625 | PN1625 | Inadequate Encryption Vulnerability in ThinManager®
Published Date:
May 12, 2023
Last Updated:
May 12, 2023
CVE IDs:
CVE-2023-2443
Products:
ThinManager
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 1.0 - May 11, 2023
Version 2.0 - May 12, 2023 – Updated First Known in Software Version

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
ThinManager ® v13.0.0 and v13.0.1 v13.0.2

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers.  If the client requests an insecure cipher, a malicious actor could potentially decrypt traffic sent between the client and server API.

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize risk of vulnerability.

Additional Resources

High
PN1622 | PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025
Products:
ArmorStart
CVSS Scores:
4.7, 7.0, 5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product (automated) First Known in Firmware Revision Corrected in Firmware Revision
ArmorStart® ST 281E v2.004.06 N/A
ArmorStart® ST 284E all N/A
ArmorStart® ST 280E all N/A

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29031 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 7.0 (High)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVSS Base Score: 5.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting vulnerability was discovered that could potentially allow a malicious user with admin privileges and network access to view user data and modify the web interface. Additionally, a malicious user could potentially cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-20 Improper Input Validation


Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1623 | PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2019-16748, CVE-2020-36177
Products:
PanelView 800
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
PanelView™ 800 - 2711R-T4T V5.011 V8.011
PanelView™ 800 - 2711R-T7T V5.011 V8.011
PanelView™ 800 - 2711R-T10T V5.011 V8.011

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size.  This is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. Specifically, there is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c.  WolfSSL is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used.  This feature is disabled by default.

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

High
PN1626 | PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®
Published Date:
May 11, 2023
Last Updated:
May 11, 2023
CVE IDs:
CVE-2023-2444
Products:
FactoryTalk VantagePoint
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Software Version Corrected in Software Version
FactoryTalk® Vantagepoint® <v8.40 V8.40 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2444 IMPACT
A cross site request forgery vulnerability exists in the affected product. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.

Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk® Vantagepoint® website, enters credentials for the FactoryTalk® Vantagepoint® server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS Base Score: 7.1/10
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are also encouraged to implement our suggested security best practices to minimize risk associated with the vulnerability.

Additional Resources

Critical
PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive
Published Date:
May 11, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-1834
Products:
2198 Kinetix 5500 Drive
CVSS Scores (v3.1):
9.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 11, 2023

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023

*The manufacturing date of the drive is stated on the product label.		 v7.13 Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023, and are running v7.13 may have the telnet and FTP ports open by default.

CVSS Base Score: 9.4/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected drives are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customer to implement our suggested security best practices to minimize risk of the vulnerability.

Additional Resources

 

High
PN1621 | PN1621 | Arena® Simulation – Multiple Vulnerabilities
Published Date:
May 09, 2023
Last Updated:
May 09, 2023
CVE IDs:
CVE-2023-29460, CVE-2023-29462, CVE-2023-29461
Products:
Arena
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 9, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.01

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-29460 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow in the heap.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Additional Resources

Critical
PN1410 | PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution
Published Date:
April 10, 2023
Last Updated:
April 10, 2023
CVE IDs:
CVE-2020-6967
Products:
FactoryTalk Services Platform
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.3
Revision History
Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.


FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family Suggested Actions
FactoryTalk Services Platform V6.31
  • No actions are necessary:
    • Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability.
    • Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

  • Upgrade to FactoryTalk Services Platform V6.31.
  • Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
  • Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
  • For versions that predate v2.74 it is recommended to upgrade to a more recent version.
  • Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
  • If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
  • Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
  • Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

  • Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical
PN1618 | PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack
Published Date:
March 21, 2023
Last Updated:
March 21, 2023
CVE IDs:
CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757
Products:
ThinManager
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 21, 2023 – Initial Version

Executive Summary

A vulnerability was discovered by Tenable Security Researchers and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to potentially perform remote code execution on the target or crash the software.

Customers using the products in scope are encouraged to evaluate the mitigations provided and apply them appropriately to their deployed products. See the additional details relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

ThinManager ThinServer software Versions
6.x – 10.x
11.0.0 – 11.0.5
11.1.0 – 11.1.5
11.2.0 – 11.2.6
12.0.0 – 12.0.4
12.1.0 – 12.1.5
13.0.0-13.0.1

Vulnerability Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, a path traversal exists when processing a message. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content, potentially causing remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

In affected versions, a path traversal exists when processing a message of type 8. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

In affected versions, a heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can exploit this vulnerability to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided, and are encouraged, when possible, to combine these mitigations with the general security guidelines to employ multiple strategies simultaneously.
CVE-2023-27855
CVE-2023-27856
CVE-2023-27857		 First Known Affected Fixed Versions
6.x – 10.x These versions are retired. Please update to the supported version.
11.0.0 – 11.0.5 Update to v11.0.6
11.1.0 – 11.1.5 Update to v11.1.6
11.2.0 – 11.2.6 Update to v11.2.7
12.0.0 – 12.0.4 Update to v12.0.5
12.1.0 – 12.1.5 Update to v12.1.6
13.0.0 – 13.0.1 Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:
  • Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain the security posture of your environment.

References

Medium
PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information
Published Date:
March 16, 2023
Last Updated:
October 16, 2024
CVE IDs:
CVE-2023-0027
Products:
1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores (v3.1):
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 16, 2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
    • Customers who do not use the AOI with a controller are not impacted.
    • The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.


CVSS v3.1 Base Score: 5.3/10[medium]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.
Products Affected First Known Version Affected Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code 2.00.00 This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

 

Medium
PN1554 | PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation
Published Date:
February 07, 2023
Last Updated:
February 07, 2023
CVE IDs:
CVE-2020-6998
Products:
1769 Compact GuardLogix 5370, 1769 CompactLogix 5370
CVSS Scores:
5.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:
  • CompactLogix 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998
Products Affected First Known Version Affected Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011 33.011 and later
Compact GuardLogix 5370 28.011 33.011 and later
ControlLogix 5570 Redundancy 20.054 33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

Critical
PN1616 | PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products
Published Date:
January 27, 2023
Last Updated:
January 27, 2023
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
1768/1769/5069 CompactLogix, 1769 Compact I/O, 1732E ArmorBlock I/O, 1756 ControlLogix, 1769 CompactLogix Controllers, 1747 SLC 500, 1756/1769/5069/2080 Chassis-based I/O, 1769 Compact GuardLogix 5370, 1756/5069 GuardLogix
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – January 27, 2023

Executive Summary

Rockwell Automation is aware of multiple products that utilize the GoAhead web server application and are affected by CVE 2019-5096 and CVE 2019-5097. Exploitation of these vulnerabilities could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these vulnerabilities being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including impact and recommended countermeasures, are provided.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number Firmware Version
1732E-8CFGM8R/A 1.012
1732E-IF4M12R/A (discontinued) 1.012
1732E-IR4IM12R/A 1.012
1732E-IT4IM12R/A 1.012
1732E-OF4M12R/A 1.012
1732E-OB8M8SR/A 1.013
1732E-IB8M8SOER 1.012
1732E-8IOLM12R 2.011
1747-AENTR 2.002
1769-AENTR 1.001
5069-AEN2TR 3.011
1756-EN2TR/C <=11.001
1756-EN2T/D <=11.001
1756-EN2TSC/B (discontinued) 10.01
1756-EN2TSC/B 10.01
1756-HIST1G/A (discontinued) <=3.054
1756-HIST2G/A(discontinued) <=3.054
1756-HIST2G/B <=5.103

CVE 2019 -5097

Catalog Number Firmware Version
ControlLogix® 5580 controllers V28 – V32*
GuardLogix® 5580 controllers V31 – V32*
CompactLogix™ 5380 controllers V28 – V32*
Compact GuardLogix 5380 controllers V31 – V32*
CompactLogix 5480 controllers V32*
1756-EN2T/D 11.001*
1756-EN2TR/C 11.001*
1765–EN3TR/B 11.001*
1756-EN2F/C 11.001*
1756-EN2TP/A 11.001*

* The vulnerability is only exploitable via the Ethernet port. It is not exploitable via backplane or USB communications.

Vulnerability Details

Rockwell Automation was made aware of two third-party vulnerabilities that affect the GoAhead embedded web server. A critical vulnerability (CVE-2019-5096) exists in the way requests are processed by the web server. If exploited, a malicious user could potentially leverage this vulnerability to execute arbitrary code   by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To exploit this vulnerability, a malicious user would have to send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could potentially crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability
CVSS Base Score:  9.8/10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability
CVSS Base Score:  7.5/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

We encourage customers to apply the recommended mitigations, provided below.
Product Suggested Actions
1732E-8CFGM8R/A Refer to Additional Mitigations
1732E-IF4M12R/A Refer to Additional Mitigations
1732E-IR4IM12R/A Refer to Additional Mitigations
1732E-IT4IM12R/A Refer to Additional Mitigations
1732E-OF4M12R/A Refer to Additional Mitigations
1732E-OB8M8SR/A Refer to Additional Mitigations
1732E-IB8M8SOER Refer to Additional Mitigations
1732E-8IOLM12R Refer to Additional Mitigations
1747-AENTR Refer to Additional Mitigations
1769-AENTR Update to 1.003 or later
5069-AEN2TR (discontinued) Migrate to the 5069-AENTR
1756-EN2T/D Update to 11.002 or later
1756-EN2TR/C Update to 11.002 or later
1756-EN3TR/B Update to 11.002 or later
1756-EN2F/C Update to 11.002 or later
1756-EN2TP/A Update to 11.002 or later
1756-EN2TSC/B Refer to Additional Mitigations
1756-HIST1G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued) Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B Update to 5.104 or later
1756-EN2F/C Update to 11.002 or later
ControlLogix 5580 controllers Update to V32.016 or later
GuardLogix 5580 controllers Update to V32.016 or later
CompactLogix 5380 controllers Update to V32.016 or later
Compact GuardLogix 5380 controllers Update to V32.016 or later
CompactLogix 5480 Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, we recommend the following compensating controls to help minimize risk of the vulnerability.
  • Disable the web server, if possible. Please review the corresponding product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
    • For 1732E, upgrade to the latest firmware to disable the web server.
  • Configure firewalls to disallow network communication through HTTP/Port 80.
Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining the security posture of your environment.

References

High
PN1613 | PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability
Published Date:
January 25, 2023
Last Updated:
January 25, 2023
CVE IDs:
CVE-2022-3157
Products:
1756-L71S, Standard Controllers, 1756-L72S, 1756-L73S, 1769 CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a denial-of-service vulnerability that impacts several versions of our GuardLogix® and ControlLogix® controllers. Exploitation of this vulnerability could potentially lead to degradation in availability of the controller and/or a possible major non-recoverable fault (MNRF).

Customers using affected software versions are encouraged to evaluate the mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • CompactLogix™ 5370
  • Compact GuardLogix 5370
  • ControlLogix 5570
  • ControlLogix 5570 redundancy
  • GuardLogix 5570

Vulnerability Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A vulnerability exists in the Rockwell Automation controllers that allows a malformed CIP™ request to cause a major non-recoverable fault (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected

First Known Version Affected

Corrected In
CompactLogix 5370
ControlLogix 5570
GuardLogix 5570
 20.011
  • 33.013
  • 34.011 and later
Compact GuardLogix 5370 28.011
  • 33.013
  • 34.011 and later
ControlLogix 5570 Redundancy 20.054
  • 33.052
  • 34.051 and later

Reference

High
PN1614 | PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability
Published Date:
December 22, 2022
Last Updated:
December 22, 2022
CVE IDs:
CVE-2022-3156
Products:
RSLogix Emulate 5000 / Studio 5000 Logix Emulate
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.
Vulnerabilities Product Suggested Actions
CVE-2022-3156 Studio 5000 Logix Emulate Customers should upgrade to version 34.00 or later to mitigate this issue.

References

High
PN1611 | MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 7.5 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
 
Additional Resources

 

High
PN1612 | MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack
Published Date:
December 13, 2022
Last Updated:
October 16, 2024
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores (v3.1):
8.2
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 B/C v. 21.007 and below
  • MicroLogix™ 1400 A v. 7.000 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution.  The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack
CVSS Base Score: 8.2 /10 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
  • Configure firewalls to disallow network communication through HTTP/Port 80
  • Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.
 
Additional Resources

 

High
PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack
Published Date:
December 06, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-3752
Products:
1756-L83ES, Standard Controllers, 1756-L84ES, 1756-L81ES, 5069 CompactLogix, 1756-L82ES, 5069 Compact GuardLogix 5380
CVSS Scores (v3.1):
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers.  This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device.  Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading  to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.
Products Affected First Known Version Affected Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580 This vulnerability is present in firmware version 31.011 and later This issue has been mitigated in the following firmware versions:
  • 32.016 and later for versions 32
  • 33.015 and later for versions 33
  • 34.011 and later
Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480 This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

 

Medium
PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack
Published Date:
December 01, 2022
Last Updated:
October 16, 2024
Products:
LiveData
CVSS Scores (v3.1):
5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History
Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability.  This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk.  Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

 

Critical
PN1576 | PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities.
Published Date:
November 17, 2022
Last Updated:
November 17, 2022
CVE IDs:
CVE-2021-20094, CVE-2021-20093, CVE-2021-41057
Products:
FactoryTalk Activation, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 6, 2021
Revision History
Revision Number
2.0
Revision History
Version 2.0 - August 11, 2021 – Removed modified score
Revision History
Revision Number
3.0
Revision History
Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG.  These vulnerabilities impact FactoryTalk® Activation Manager and Studio 5000 Logix Designer®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Activation Manager v4.00 to v4.05.02
    • Includes Wibu-Systems AG CodeMeter v7.20a and earlier
  • Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.


Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-20093 Update to Factory Talk Activation Manager 4.05.03 or later
For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094 Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057 Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a.  Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled.  Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection.  Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products
Published Date:
November 01, 2022
Last Updated:
November 20, 2024
CVE IDs:
CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906
Products:
Flex I/O, 1408 PowerMonitor 1000, 1732E ArmorBlock I/O, 1426 PowerMonitor 5000
CVSS Scores (v3.1):
9.8, 9.1, 5.0, 3.7, 3.1
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision Number

6.0

Revision History
Version 6.0 – August 13,  2024. Updated affected products list and user actions
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization.  The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC 
and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.


Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family Affected Versions CVE-2020-XXXXX
11896
 11897 11898 11899 11900 11901 11902 11903 11904 11905 11906 11907 11908 11909 11910 11911 11912 11913 11914
5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

 1.011-4.011           X         X X     X X X    
5069-AENTR 3.011-4.011           X         X X     X X X    
1734-AENT/R 4.001- 6.012           X         X X     X X X    
1738-AENT/R 4.001- 6.012           X         X X     X X X    
1732E-16CFGM12R
 1732E-8X8M12DR
 1732E-IB16M12DR
1732E-IB16M12R
 1732E-OB16M12DR
 1732E-OB16M12R		 2.011-2.012           X         X X     X X X    
1791ES-ID2SSIR 1.001                                      
1799ER-IQ10XOQ10 2.011           X         X X     X X X    
1794-AENTR/XT 1.011-1.017           X         X X     X X X    
1732E-12X4M12QCDR
 1732E-16CFGM12QCR
 1732E-16CFGM12QCWR
 1732E-12X4M12P5QCDR
 1732E-16CFGM12P5QCR
 1.011-1.015           X         X X     X X X    
1732E-16CFGM12P5QCWR
 1.011-2.011           X         X X     X X X    
PowerMonitor 5000 4.19           X         X X     X X X   X
PowerMonitor 1000 4.10           X         X X     X X X   X
ArmorStart® ST+ Motor Controller 1.001           X         X X     X X      
Kinetix 5500 All*           X         X X     X X X    
Kinetix® 5700 All*           X         X X     X X X    
Kinetix 5100 1.001           X         X X     X X X    
PowerFlex 755T
PowerFlex 6000T		 All*           X         X X     X X      
CIP Safety Encoder All*           X         X X     X X      

Begin Update 3.0:
Affected Product Family Affected Versions CVE
1734-AENT/R 4.001- 6.012 CVE-2020-25066
1738-AENT/R 4.001- 6.012 CVE-2020-25066
1794-AENTR
1794-AENTR/XT		 1.011- 1.017 CVE-2020-25066
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 2.011-2.012 CVE-2020-25066
1799ER-IQ10XOQ10 2.011 CVE-2020-25066
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 1.011-1.015 CVE-2020-25066
1732E-16CFGM12P5QCWR 1.011-2.011 CVE-2020-25066
PowerMonitor 5000 4.19 CVE-2020-25066
PowerMonitor 1000 4.10 CVE-2020-25066
End Update 3.0

 

Begin Update 6.0

 

 

Affected Product Family

 

 

 

 

Affected Versions

 

 

 

 

CVE

 

 

 

 

PowerFlex 527

 

 

 

 

all

 

 

 

 

CVE-2020-25066

 

 

End Update 6.0

 

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0


CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
CVE Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

 For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:
CVE Suggested Actions
CVE-2020-25066 Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.

ICS-CERT has provided additional network mitigations in their public disclosure.
End Update 3.0


Available Fixes:

Update 4.0 May 17, 2022
CVE Affected Product Suggested Actions
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5069-AENTR Apply firmware v4.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT		 Apply firmware v5.012 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914		 Kinetix 5700 Apply v13 or later (Download).
CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912		 PowerFlex 755T
PowerFlex 6000T		 Apply 6.005 or later for PF755T.  Apply R8 or later for PF6000T. (Download)

Update 5.0 November 1, 2022
CVE Affected Product Family Suggested Actions
CVE-2020-25066 1734-AENT/R Apply firmware 7.011 or later.
1738-AENT/R Apply firmware 6.011 or later.
1794-AENTR
1794-AENTR/XT		 Apply firmware 2.011 or later.
1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R		 Apply firmware 3.011 or later.
1799ER-IQ10XOQ10 Apply firmware 3.011 or lter.
1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR		 Apply firmware 3.011 or later.
1732E-16CFGM12P5QCWR Apply firmware 3.011 or later.

Update Begin 6.0

 

 

CVE-2020-25066    

 

 

 

 

   PowerFlex 527            

 

 

 

 

 

 

Follow suggested actions above

and, when possible, implement

firewall rules to filter out packets

that contain a negative content

length in the HTTP header.

 

 

 

 

 

 

 

 

End Update Begin 6.0

 

General Security Guidelines

 Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
  • Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

 

PN1607 | PN1607 | New Open SSL Vulnerability
Published Date:
October 31, 2022
Last Updated:
October 31, 2022
Products:
FactoryTalk View
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

High
PN1601 | PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities
Published Date:
October 27, 2022
Last Updated:
October 27, 2022
CVE IDs:
CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 5800 Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
6.8, 7.2, 8.8, 6.5, 7.7, 8.6, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of  multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • Stratix 5800 Switches
  • Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Vulnerabilities Suggested Actions
Stratix 5800 switches CVE-2020-3209 Update to Stratix 5800 v.17.04.01 or later
CVE 2020-3211
CVE 2020-3218
CVE 2020-3229
CVE 2020-3219
CVE-2020-3516
CVE 2021-1385
CVE-2021-1446
Stratix 5800 switches CVE-2020-3200 Update to v16.12.01 or later
Stratix 5400/5410 switches CVE-2020-3200 Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

High
PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack
Published Date:
October 27, 2022
Last Updated:
October 16, 2024
CVE IDs:
CVE-2022-38744
Products:
FactoryTalk View SE, Studio 5000 View Designer
CVSS Scores (v3.1):
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision History
Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.
Vulnerability Suggested Actions
CVE-2022-38744 Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

 

Critical
PN1606 | PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability
Published Date:
October 07, 2022
Last Updated:
October 07, 2022
CVE IDs:
CVE-2022-3158, CVE-2022-38743
Products:
FactoryTalk Linx OPC UA Connector
CVSS Scores:
9.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score:  9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.
Mitigation A Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later.
BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

High
PN1595 | PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products
Published Date:
September 23, 2022
Last Updated:
January 28, 2025
CVE IDs:
CVE-2022-0778
CVSS Scores:
7.5, 4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)
Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
  • FactoryTalk® Linx Gateway (Version 6.30 and earlier)
  • Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
  • Factory Talk View (Version 11.00 - Version 13.00)
  • Stratix 4300 (Versions 4.0.1.117 and earlier)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected

Suggested Actions

ThinManager

This issue has been patched.  Customers should follow the patch instructions as follows:
If using v12.0.0-12.0.2 >> Download v12.0.3
If using v12.1.0-12.1.3 >> Download v12.1.4

Factory Talk Linx Gateway

Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.

Factory Talk Linx OPC UA Connector

Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.

Factory Talk View

Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.

Stratix 4300

The issue has been patched. Customers should upgrade to v4.0.2.101

Download Center
 
If an upgrade is not possible or available, customers should consider implementing the following mitigations:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

 

High
PN1604 | PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack
Published Date:
September 22, 2022
Last Updated:
September 22, 2022
CVE IDs:
CVE-2022-38742
Products:
ThinManager
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation.  The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software Versions
11.0.0 – 11.0.4
11.1.0 – 11.1.4
11.2.0 – 11.2.5
12.0.0 – 12.0.2
12.1.0 – 12.1.3
13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process.  This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE-2022-38742 Versions Affected Suggested Actions
11.0.0 – 11.0.4 Update to v11.00.05
11.1.0 – 11.1.4 Update to v11.01.05
11.2.0 – 11.2.5 Update to v11.02.06
12.0.0 – 12.0.2 Update to v12.00.03
12.1.0 – 12.1.3 Update to v12.01.04
13.0.0 Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:
  • Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients
For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

Critical
PN1603 | PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack
Published Date:
September 01, 2022
Last Updated:
September 01, 2022
CVE IDs:
CVE-2022-2825, CVE-2022-2848
Products:
Kepserver Enterprise
CVSS Scores:
9.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2022-2848 Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825


If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

Medium
PN1598 | PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products
Published Date:
August 26, 2022
Last Updated:
August 26, 2022
CVE IDs:
CVE-2022-1096
Products:
Using CCW with PanelView Component Terminals, FactoryTalk Linx Gateway, FactoryTalk View SE, Installing CCW, FactoryTalk Linx / RSLinx Enterprise, PowerFlex 6000, Using CCW with Micro800 Controllers, Using CCW with Component Class Drives
CVSS Scores:
4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Reference
CVE 2022-1096
Revision History
Revision Number
1.1
Revision History
Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope Vulnerable Component
FactoryTalk® Linx Enterprise software
v6.20, 6.21, and 6.30		 V6.21 CefSharp v73.1.130 (EIPCACT feature)
V6.30 CefSharp v91.1.230 (EIPCACT feature)
v6.20 CefSharp v73.1.130 (Device Config feature)
v6.21 CefSharp v73.1.130 (Device Config feature
v6.30 CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex® 6000T drives v1.001
Electron v4.2.12
Connected Components Workbench software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30  v6.21 CefSharp v73.1.130
 v6.30 CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0 WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:
  • Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
  • Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
    • Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
    • DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:
  • Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.
If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Critical
PN1550 | PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2021-22681
Products:
SoftLogix5800, 1794 FlexLogix, 1756 ControlLogix, 1769 CompactLogix Controllers, 1769 Compact GuardLogix 5370, 1768 CompactLogix Controllers, 5069 Compact GuardLogix 5380, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.4
Revision History
Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk® Security provides user authentication and authorization for a particular set of actions within RSLogix® 5000 and Studio 5000®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.
Product Family and Version Risk Mitigation and Recommended User Actions






ControlLogix 5580 v32 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the followings mitigations are recommended:
  • Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly.
  • If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.



ControlLogix 5580 v31
  • Put the controller mode switch to “Run” mode.I
If the above cannot be deployed, the following mitigations are recommended:
  • Apply v32 or later and follow mitigations actions outlined above.
  • If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are recommended:
  • Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later
  • Put the controller mode switch to “Run” mode.
If the above cannot be deployed, the following mitigations are
recommended:
  • Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30
ControlLogix 5570 v18 or later
ControlLogix 5560 v16 or later
ControlLogix 5550 v16
GuardLogix 5580 v31 or later
GuardLogix 5570 v20 or later
GuardLogix 5560 v16 or later
1768 CompactLogix v16 or later
1769 CompactLogix v16 or later
CompactLogix 5480 v32 or later
Compact GuardLogix 5370 v28 or later
Compact GuardLogix 5380 v31 or later
FlexLogix 1794-L34 v16
DriveLogix 5370 v16 or later
  • Put the controller mode switch to “Run” mode.
SoftLogix 5800

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:
  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • If using v17 or later, utilize the Controller Log feature.
  • If using v20 or later, utilize Change Detection in the Logix Designer Application.
  • If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls.  Including, but not limited to:
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
  • Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
  • Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products.  CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available.  The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security.  See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1600 | PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks
Published Date:
July 20, 2022
Last Updated:
July 20, 2022
CVE IDs:
CVE-2022-2463, CVE-2022-2465, CVE-2022-2464
Products:
AADvance, ISaGRAF, Trusted
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • ISaGRAF Workbench v6.0 though v6.6.9
  • AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Product Suggested Actions
CVE-2022-2463
CVE-2022-2464
CVE-2022-2465		 ISaGRAF Workbench Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463
CVE-2022-2464		 AAdvance-Trusted SIS Workstation Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465 AAdvance-Trusted SIS Workstation It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
If immediate upgrade is not possible, customers should consider implementing the following mitigations:
  • Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical
PN1599 | PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)
Published Date:
July 14, 2022
Last Updated:
July 14, 2022
Products:
FactoryTalk Analytics DataView
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Medium
PN1597 | PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability
Published Date:
July 07, 2022
Last Updated:
July 07, 2022
CVE IDs:
CVE-2022-2179
Products:
1763 MicroLogix 1100, 1766 MicroLogix 1400
CVSS Scores:
6.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

  • MicroLogix™ 1400 v. 21.007 and below
  • MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.
  • Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
  • Configure firewalls to disallow network communication through HTTP/Port 80
If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Medium
PN1596 | PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack
Published Date:
June 17, 2022
Last Updated:
June 17, 2022
CVE IDs:
CVE-2022-1797
Products:
1769 Compact GuardLogix 5370, 1756/5069 GuardLogix, 1768/1769/5069 CompactLogix, 1756 ControlLogix
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.4
Revision History
Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

  • CompactLogix™ 5380 controllers
  • Compact GuardLogix® 5380 controllers
  • CompactLogix 5480 controllers
  • ControlLogix® 5580 controllers
  • GuardLogix 5580 controllers
  • CompactLogix 5370 controllers
  • Compact GuardLogix 5370 controllers
  • ControlLogix 5570 controllers
  • GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Version Affected Suggested Actions
CompactLogix 5380 Versions prior to 32.016 Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580
CompactLogix 5370 Versions prior to 33.016 Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570
ControlLogix 5570 Redundancy Versions prior to 33.053 Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue.

Mitigation B: Set the message control structures access to read only.  Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.


If applying mitigation A or B is not possible, customers should consider implementing the following solutions:
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical
PN1585 | PN1585 | Logix Controllers May Allow for Unauthorized Code Injection
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2021-22681, CVE-2022-1161
Products:
5069 Compact GuardLogix 5380, 1769 CompactLogix Controllers, 1769 CompactLogix 5370, 1756/5069 GuardLogix, 1768 CompactLogix Controllers, ControlLogix Hardware
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

  • 1768 CompactLogix™ controllers
  • 1769 CompactLogix controllers
  • CompactLogix 5370 controllers
  • CompactLogix 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix® 5370 controllers
  • Compact GuardLogix 5380 controllers
  • ControlLogix® 5550 controllers
  • ControlLogix 5560 controllers
  • ControlLogix 5570 controllers
  • ControlLogix 5580 controllers
  • GuardLogix 5560 controllers
  • GuardLogix 5570 controllers
  • GuardLogix 5580 controllers
  • FlexLogix™ 1794-L34 controllers
  • DriveLogix™5730 controllers
  • SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:
Product Structured Text
(ST)		 Ladder Diagrams
(LD)		 Function Block Diagram
(FBD)		 Sequential Function Chart (SFC) Add-On Instructions (AOI)
1768 CompactLogix X Not affected X X X
1769 CompactLogix X Not affected X X X
CompactLogix 5370 X Not affected X X X
CompactLogix 5380 X X X X X
CompactLogix 5480 X X X X X
Compact GuardLogix 5370 X Not affected X X X
Compact GuardLogix 5380 X X X X X
ControlLogix 5550 X Not affected X X X
ControlLogix 5560 X Not affected X X X
ControlLogix 5570 X Not affected X X X
ControlLogix 5580 X X X X X
GuardLogix 5560 X Not affected X X X
GuardLogix 5570 X Not affected X X X
GuardLogix 5580 X X X X X
FlexLogix 1794-L34 X Not affected X X X
DriveLogix 5730 X Not affected X X X
SoftLogix 5800 X Not affected X X X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family Risk Mitigation and Recommended User Actions









ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380
Risk Mitigation A:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Put controller mode switch into Run position
If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Recompile and download user program code (i.e., acd) using an uncompromised workstation
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Utilize the Controller Log feature
  • Utilize Change Detection in the Logix Designer Application
  • If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed.  Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port
  • GuardLogix 5580 processors using on-board EtherNet/IP port
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port
  • Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.
Product Family Risk Mitigation and Recommended User Actions
1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

 Risk Mitigation A:
  • Recompile and download user program code (i.e., acd)
  • Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Recompile and download user program code (i.e., acd)
  • Monitor controller change log for any unexpected modifications or anomalous activity
  • Use the Controller Log feature
  • Use Change Detection in the Logix Designer application
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

High
PN1586 | PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
CVE IDs:
CVE-2022-1159
Products:
RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
7.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:
  • ControlLogix® 5580 controllers
  • GuardLogix® 5580 controllers
  • CompactLogix™ 5380 controllers
  • CompactLogix 5480 controllers
  • Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation.  This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer.  The attacker can then intercept the compilation process and inject code into the user program.   The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:
  • On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
  • Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).
Notes:
  • The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
  • Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)
Published Date:
May 06, 2022
Last Updated:
May 06, 2022
Products:
FactoryTalk Linx Gateway
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:
  • FactoryTalk® Linx Gateway
    • Editions include embedded, basic, standard, extended distributed, professional
    • Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
  • Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
    • Chapter 4 - UA Server Endpoints - Endpoint Properties
    • Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
  • Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
    • Set system policies - Account Policy Settings
    • Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre
Published Date:
May 04, 2022
Last Updated:
May 04, 2022
Products:
FactoryTalk ProductionCentre
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.
Apache ActiveMQ Version 5.15.0 Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0 Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10 Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2 JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8 Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1 JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5 JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55 Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51 Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2 Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

High
PN1589 | PN1589 | Multiple Products Vulnerable to Deserialization of Data
Published Date:
April 04, 2022
Last Updated:
April 04, 2022
CVE IDs:
CVE-2022-1118
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – April 4, 2022

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Components Workbench v13.00.00 and below.
  • ISaGRAF Workbench v6.0-v6.6.9
  • Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)

Vulnerability Details

CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Products Affected Suggested Actions
Connected Components Workbench Versions 13.00 and below Customers should update to version 20.00, which mitigates this vulnerability.
ISaGRAF Workbench Versions 6.0-6.6.9 It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
SIS Workstation Versions 1.2 and below (for Trusted Controllers) It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)

Additional Links

Critical
PN1579 | Log4Shell Vulnerability Notice
Published Date:
January 21, 2022
Last Updated:
December 01, 2024
CVE IDs:
CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228
Products:
Production Management
CVSS Scores (v3.1):
10, 3.7, 8.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
2.2
Revision History
Version 1.0 – 12-Dec-2021. Initial Version

Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions


Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected

Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.


Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.
Product Affected Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5 This product is cloud-based and has been updated for all customers.
Warehouse Management 4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued) 3.03.00
Industrial Data Center 9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application 9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView All
Firewall Managed Support – Cisco FirePOWER® Thread Defense 9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.


It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data


JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability Products Affected Suggested Actions
CVE-2021-44228 Plex Industrial IoT This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time.  No user action is required.
Fiix CMMS core V5 The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02 Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
MES EIG 3.03.00 This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5 - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298.
- For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A - For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2.
- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
FactoryTalk Analytics DataFlowML Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
FactoryTalk Analytics DataView 3.02 Customers are required to upgrade from 3.02 to 3.03.01.  Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0 - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
- For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571
 No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected

Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00 No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.  
Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer.  If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.  Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • Visit links below for more mitigation techniques
ADDITIONAL LINKS

 

Critical
PN1567 | PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities
Published Date:
December 30, 2021
Last Updated:
December 30, 2021
CVE IDs:
CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178
Products:
AADvance, ISaGRAF, Micro800
CVSS Scores:
9.1, 7.8, 5.3, 7.5, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision Number

1.3

Revision History
Version 1.3 – March 19th, 2024. Added AADvance Eurocard controller to Affected Products and Updated Suggested Actions for AADvance Eurocard controller
Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier

Executive Summary

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:
  • AADvance® Controller version 1.32 and earlier
  • ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
  • Micro800™  family, all versions

Vulnerability Details

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved.  A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Vulnerability Affected Products Suggested Mitigations
CVE-2020-25176 AADvance Controller
ISaGRAF5 Runtime
Micro800 family
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability.

For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone.

Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible.

For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25178 AADvance Controller
ISaGRAF5 Runtime
Micro800 family
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and
AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25182 ISaGRAF5 Runtime Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184 AADvance Controller
ISaGRAF5 Runtime
AADvance Eurocard controller

Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3.

Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25180

AADvance Controller
ISaGRAF5 Runtime
AADvance Eurocard controller

 

To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.

Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation.

Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.

For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability.

Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
 

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
  • Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
  • Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

 

Critical
PN1580 | PN1580 | GOAhead Web Server vulnerability in 1783-NATR
Published Date:
December 16, 2021
Last Updated:
December 16, 2021
CVE IDs:
CVE-2019-5097, CVE-2019-5096
Products:
Network Address Translation (NAT) Device
CVSS Scores:
7.5, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.2
Revision History
Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate

Executive Summary

Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Detailed Information

CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.

CVSS v3.1 Base Score: 9.8/10[Critical}

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.

CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

1783-NATR version 1.005

Risk Mitigation & User Action

Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2019-5096 Upgrade firmware to version 1.006 to mitigate this vulnerability.
CVE-2019-5097 Upgrade firmware to version 1.006 to mitigate this vulnerability.

General Security Guidelines

Network-based vulnerability mitigations for embedded products

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

General mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Additional Links

Critical
PN1494 | VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block
Published Date:
August 11, 2021
Last Updated:
October 04, 2024
CVE IDs:
CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259
Products:
Network Address Translation (NAT) Device, 5069 Compact I/O, 1732E ArmorBlock I/O, Ethernet/IP Connected Products, High-Frequency RFID, 1756 ControlLogix I/O
CVSS Scores (v3.1):
9.8, 8.8, 7.5, 8.1, 6.3, 7.1, 5.4
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.0
Revision History 
October 1, 2024 – Version 1.6 Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.
Revision History
Revision Number
1.1
Revision History

09-October-2019 - Updated Advisory

On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.

 

Revision History
Revision Number
1.2
Revision History

16-November-2019 - Updated Advisory

Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.

Revision History
Revision Number
1.3
Revision History
2-November-2020. Corrected suggested actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.4
Revision History
02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History
Revision Number
1.5
Revision History
04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR
 
Revision History 

1.6

October 1, 2024 – Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

Executive Summary

Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.

Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products


 

 

Product Family

 

 

 

 

Catalogs

 

 

 

 

CVE-2019-12255

 

 

 

 

CVE-2019-12256

 

 

 

 

CVE-2019-12257

 

 

 

 

CVE-2019-12258

 

 

 

 

CVE-2019-12259

 

 

 

 

CVE-2019-12260

 

 

 

 

CVE-2019-12261

 

 

 

 

CVE-2019-12262

 

 

 

 

CVE-2019-12263

 

 

 

 

CVE-2019-12264

 

 

 

 

CVE-2019-12265

 

 

 

 

CompactLogix™ 5480 (EPIC controller)

 

 

 

 

5069-L4

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Compact 5000™ I/O EtherNet/IP Adapter

 

 

 

 

5069-AEN2TR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix® 5580 (+ GuardLogix®)

 

 

 

 

1756-L8

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix Compact GuardLogix 5380

 

 

 

 

5069-L3 
5069-L3S2

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L3

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix GuardLogix 5370

 

 

 

 

1769-L3S

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L2

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix 5370

 

 

 

 

1769-L1

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TSC/A

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TSC/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2T/C

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2T/D

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN4TR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TP/A

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TR/B

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TR/C

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN3TR/A

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN3TR/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

X

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2F/B

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2F/C

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ControlLogix EtherNet/IP Module

 

 

 

 

1756-EN2TRXT

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

1783-NATR, Network Address Translation Router

 

 

 

 

1783-NATR

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock® I/O Modules

 

 

 

 

1732E-8CFGM8R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IB8M8SOER

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IF4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IR4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-IT4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-OB8M8SR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-OF4M12R

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

ArmorBlock I/O Modules

 

 

 

 

1732E-8IOLM12R

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPD22

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPD22A

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Bulletin 56RF High-Frequency RFID

 

 

 

 

56RF-IN-IPS12

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

SLC™ 500 EtherNet/IP Adapter

 

 

 

 

1747-AENTR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

CompactLogix E/IP Adapter

 

 

 

 

1769-AENTR

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Kinetix® 6200 Servo Multi-axis Drives

 

 

 

 

2094-SE02F-M00-Sx

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

Kinetix® 6500 Servo Multi-axis Drives

 

 

 

 

2094-EN02D-M01-Sx

 

 

 

 

x

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

 

 

 

 

 

 

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 

 

 

x

 

 
 

Vulnerability Details

Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.

CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.

CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.

CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.

CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.

Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.

CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.

Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.

CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.

Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.

CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.

CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.

Risk Mitigation & User Action

Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.

  1. Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
  2. Take the suggested actions for the products in the table below:
Product Catalog Numbers Suggested Actions

 

 

CompactLogix™ 5480 (EPIC Controller) 

 

 

 

 

5069-L4 

 

 

 

 

Upgrade to firmware version 32.013 (Download) or later. 

 

 

 

 

Compact 5000™ I/O EtherNet/IP Adapter 

 

 

 

 

5069-AEN2TR 

 

 

 

 

Will not be patched. Suggested action is to migrate to the 5069-AENTR. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

1756-EN2TSC/A 
1756-EN2TSC/B 

 

 

 

 

Will not be patched as it has been discontinued. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

1756-EN2T/D 
1756-EN2TP/A 
 
1756-EN2TR/C 
1756-EN2F/C 
1756-EN4TR 

 

 

1756-EN3TR/B 

 

 

 

 

Upgrade to firmware version 11.002 (Download) or later. 
(1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later. 

 

 

 

 

ControlLogix EtherNet/IP Module 

 

 

 

 

 

 

 

1756-EN2T/C 

 

 

1756-EN2F/B 

 

 

1756-EN2TR/B 

 

 

1756-EN3TR/A 

 

 

 

 

 

 

 

 

 

 

 No fix . Upgrade to 1756-EN2T/D, 1756-EN2TP/A, 1756-EN2TR/C, 1756-EN2F/C 
1756-EN4TR, or 1756-EN3TR/B  

 

 

 

 

ControlLogix 5580 

 

 

 

 

1756-L8 

 

 

 

 

Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

GuardLogix 5580 

 

 

 

 

1756-L8S 

 

 

 

 

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

CompactLogix 5380 

 

 

 

 

5069-L3 

 

 

 

 

Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

Compact GuardLogix 5380 

 

 

 

 

5069-L3S2 

 

 

 

 

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later. 

 

 

 

 

CompactLogix 5370 

 

 

 

 

1769-L3 
1769-L2 
1769-L1 

 

 

 

 

Upgrade to firmware version 32.013 (Download) or later. 

 

 

 

 

CompactLogix GuardLogix 5370 

 

 

 

 

1769-L3S 

 

 

 

 

Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later. 

 

 

 

 

1783-NATR, Network Address Translation Route 

 

 

 

 

1783-NATR 

 

 

 

 

Upgrade to firmware version 1.005 (Download) or later. 

 

 

 

 

Kinetix® 6200 Servo Multi-axis Drives 

 

 

 

 

2094-SE02F-M00-Sx 

 

 

 

 

Upgrade to firmware version 1.050 (Download) or later. 

 

 

 

 

Kinetix® 6500 Servo Multi-axis Drives 

 

 

 

 

2094-EN02D-M01-Sx 

 

 

 

 

Upgrade to firmware version 3.005 (Download) or later. 

 

 

 

 

SLC 500 EtherNet/IP Adapter 

 

 

 

 

1747-AENTR 

 

 

 

 

Upgrade to firmware version 2.003 (Download) or later. 

 

 

 

 

CompactLogix E/IP Adapter 

 

 

 

 

1769-AENTR 

 

 

 

 

Upgrade to firmware version 1.002 (Download) or later. 

 

 

General Security Guidelines

  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

 

High
PN1575 | PN1575 | Interniche Vulnerabilities present in Rockwell Automation Products – “INFRA:HALT”
Published Date:
August 09, 2021
Last Updated:
August 09, 2021
CVE IDs:
CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683
Products:
AADvance, 1715 Distributed I/O, 1715 Redundant I/O, ArmorStart
CVSS Scores:
8.2, 4.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – August 9, 2021

Executive Summary

Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.

Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

20-COMM-ER All Versions
ArmorStart 28xE All Versions
1715-AENTR All Versions
AADvance Safety Controller All Versions
AADvance Eurocard Controllers All Versions

Vulnerability Details

CVE-2020-25767: Malformed DNS Response could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CVE-2020-25927: Malformed DNS Response could cause a device to fault.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H


CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks

A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2020-27565: Malformed HTTP request could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35683: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35684: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source

A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31400: Malformed TCP segment could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31401: Malformed TCP header could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H


CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N


CVE-2021-31228: Non-random source port could lead to a spoofed DNS response

A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N


CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated

Rockwell Automation is not impacted by this vulnerability

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Product Vulnerability Mitigation
20-COMM-ER CVE-2021-31226
CVE-2021-31227		 Disable the webserver.
See the product’s user manual for the procedure to do this.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.
  • Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1571 | PN1571 | MicroLogix 1100 Persistent CPU Fault Vulnerability
Published Date:
July 09, 2021
Last Updated:
July 09, 2021
CVE IDs:
CVE-2021-33012
Products:
1763 MicroLogix 1100
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History

Version 1.0 – July 9, 2021. Initial Release

Executive Summary

Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • MicroLogix 1100, all versions.

Vulnerability Details

CVE-2021-33012: Persistent fault may lead to denial of service conditions.

A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.

CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability

Suggested Actions

CVE-2021-33012

Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller.
Customers are encouraged to have a backup copy of the project in the case it is necessary to recover from an event.

A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.

Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1569 | PN1569 | FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability
Published Date:
June 10, 2021
Last Updated:
June 10, 2021
CVE IDs:
CVE-2021-32960
Products:
FactoryTalk Services Platform
CVSS Scores:
8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 10, 2021. Initial Release.

Executive Summary

Rockwell Automation discovered a vulnerability in FactoryTalk® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.

Vulnerability Details

CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-32960 Apply FactoryTalk Services Platform v6.20 or later.

If upgrade is not possible, customers should consider the following guidance:
  • When possible, do not utilize remote desktop connections.
  • Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN1566 | PN1566 | Micro800 and MicroLogix 1400 Vulnerable to Man-in-the-Middle Attack
Published Date:
May 25, 2021
Last Updated:
May 25, 2021
CVE IDs:
CVE-2021-32926
Products:
Micro800, 1766 MicroLogix 1400
CVSS Scores:
6.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – May 25, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.

Vulnerability Details

CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.


CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.
Vulnerability Suggested Actions
CVE-2021-32926 Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users.

If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller.  The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

  • Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
  • Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222  using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1565 | PN1565 | Connected Components Workbench Vulnerable to Multiple Phishing-Style Attacks
Published Date:
May 13, 2021
Last Updated:
May 13, 2021
CVE IDs:
CVE-2021-27473, CVE-2021-27471, CVE-2021-27475
Products:
Connected Components Workbench
CVSS Scores:
6.1, 7.7, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 13, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v12.00.00 and below.

Vulnerability Details

CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-27475
CVE-2021-27471
CVE-2021-27471		 Upgrade to Connected Components Workbench v13.00.00 or later. (Link)

If upgrade is not possible, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1564 | PN1564 | DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products
Published Date:
April 28, 2021
Last Updated:
April 28, 2021
CVE IDs:
CVE-2016-20009
Products:
5069 CompactLogix, Communications Modules, 1769 CompactLogix Controllers, 1756 ControlLogix
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 26, 2021. Initial release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.

Executive Summary

On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.

Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview  within the Knoweldgebase.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.

Affected Products

Product Family Catalogs Affected Versions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR All versions.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y		 All versions prior to v30.
1769-L3yS All versions prior to v30, excluding v28.015
ControlLogix® 5580 1756-L8 All versions prior to v30.
CompactLogix 5380 5069-L3 All versions prior to v30.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A 		All versions prior to v11.001.
1756-EN2TP/A All versions prior to v10.020.

Note: GuardLogix® 5580 and Compact GuardLogix® 5380 are not affected by this vulnerability.

Vulnerability Details

CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.

CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Family Catalogs Suggested Actions
Compact 5000™ I/O EtherNet/IP Adapter 5069-AEN2TR Will not be patched. Suggested action is to migrate to the 5069-AENTR.
CompactLogix 5370 1769-L1y
1769-L2y
1769-L3y		 Apply v30 or later.
1769-L3yS Apply v28.015 or v30 or later
ControlLogix® 5580 1756-L8 Apply v30 or later.
CompactLogix 5380 5069-L3
Apply v30 or later.
ControlLogix EtherNet/IP Module 1756-EN2T/D
1756-EN2TK/D
1756-EN2TXT/D
1756-EN2F/C
1756-EN2FK/C
1756-EN2TR/C
1756-EN2TRK/C
1756-EN2TRXT/C
1756-EN3TR/B
1756-EN3TRK/B
1756-EN2TPK/A
1756-EN2TPXT/A 		Apply v11.001 or later.
1756-EN2TP/A Apply v10.020 or later.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1559 | PN1559 | FactoryTalk AssetCentre Vulnerable to Arbitrary Code Execution
Published Date:
April 01, 2021
Last Updated:
April 01, 2021
CVE IDs:
CVE-2021-27466, CVE-2021-27460, CVE-2021-27474, CVE-2021-27468, CVE-2021-27470, CVE-2021-27462, CVE-2021-27464, CVE-2021-27476, CVE-2021-27472
Products:
FactoryTalk AssetCentre
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – April 1, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre, v10.00 and earlier.

Vulnerability Details

CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability Suggested Actions
CVE-2021-27462
CVE-2021-27466
CVE-2021-27470
CVE-2021-27474
CVE-2021-27476
CVE-2021-27472
CVE-2021-27468
CVE-2021-27464
CVE-2021-27460		 Apply FactoryTalk AssetCentre v11 or above (Download).

As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11.

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
 General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium
PN1588 | PN1588 | File Parsing XML Entity in Multiple Products
Published Date:
March 28, 2021
Last Updated:
March 28, 2021
CVE IDs:
CVE-2022-1018
Products:
Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History
Version 1.0 – March 28, 2021

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Component Workbench Version 12.00 and Below
  • ISaGRAF Workbench 6.6.9 and below
  • Safety Instrumented Systems Workstation 1.1 and below

Vulnerability Details

CVE-2022-1018 XML External Entity Leads to Information Leak

When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.

As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.

CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Suggested Actions
Connected Components Workbench Version  12.00 and below Customers should update to Version 13.00 which mitigates this vulnerability.
ISaGRAF Workbench 6.6.9 and below
It is recommended that customers follow the guidelines below until a patch is available.
SIS Workstation 1.1 and below Customers should update to version 1.2 which mitigates this vulnerability.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:
  • Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

High
PN1558 | PN1558 | Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities
Published Date:
March 26, 2021
Last Updated:
March 26, 2021
CVE IDs:
CVE-2021-1452, CVE-2021-1442, CVE-2021-1443, CVE-2021-1392, CVE-2021-1403, CVE-2021-1220, CVE-2021-1352
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 8300 L3 Modular Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 8000 Modular Managed Switch
CVSS Scores:
7.8, 7.4, 6.8, 4.3, 5.5, 7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - March 26, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE ID Affected Product Family Affected Versions





CVE-2021-1392
Stratix 5800
16.12.01 and earlier

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400

15.2(7)E3 and earlier

Stratix 8300
All Versions
CVE-2021-1403 Stratix 5800 16.12.01 and earlier
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled.
CVE-2021-1442 Stratix 5800 16.12.01 and earlier
CVE-2021-1452 Stratix 5800 16.12.01 and earlier
CVE-2021-1443 Stratix 5800 17.04.01 and earlier
CVE-2021-1220
CVE-2021- 1356		 Stratix 5800 17.04.01 and earlier

Vulnerability Details

CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.

CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.

CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.

Plug and Play is disabled after Express Setup has completed.

CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.

CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.

CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.

CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.

Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
CVE ID Affected Product Family Affected Firmware Versions Suggested Actions





CVE-2021-1392
Stratix 5800
16.12.01 and earlier		 Apply version 17.04.01 or later.

Stratix 8000
Stratix 5700
Stratix 5410
Stratix 5400

15.2(7)E3 and earlier		 Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

Stratix 8300
All Versions
 Migrate to contemporary solution.
CVE-2021-1403 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1352 Stratix 5800 17.04.01 and earlier, if DECnet is enabled. If possible, disable DECnet protocol completely or on select interfaces.


To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.
CVE-2021-1442 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1452 Stratix 5800 16.12.01 and earlier Apply version 17.04.01 or later.
CVE-2021-1443 Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
CVE-2021-1220
CVE-2021- 1356		 Stratix 5800 17.04.01 and earlier Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

General Security Guidelines


Network-based Vulnerability Mitigations for Embedded Products
  • Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
  • Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Software/PC-based Mitigation Strategies
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
  • Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

High
PN1551 | PN1551 | 1734-AENTR Series B and Series C Contains Multiple Web Vulnerabilities
Published Date:
March 04, 2021
Last Updated:
March 04, 2021
CVE IDs:
CVE-2020-14504, CVE-2020-14502
Products:
1734 Point I/O
CVSS Scores:
7.5, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – March 4, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Adam Eliot of the Loon Security Team regarding two vulnerabilities in the web interface of the 1734-AENTR Series B and Series C communications module. If successfully exploited, these vulnerabilities may lead to data modification on the device.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1734-AENTR Series B, versions 4.001 to 4.005, and 5.011 to 5.01.
1734-AENTR Series C, versions 6.011 and 6.012.

Vulnerability Details

CVE-2020-14504: Unauthenticated HTTP POST Requests
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.

CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.

CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Risk Mitigation & User Action

Customers using the affected 1734-AENTR Series B and Series C are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2020-14504
CVE-2020-14502		 1734-AENTR Series B, update to firmware version 5.018. (Download).

1734-AENTR Series C, update to firmware version 6.013. (Download).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

High
PN1543 | PN1543 | Writable Path Directory in DriveTools SP and Drives AOP
Published Date:
February 15, 2021
Last Updated:
February 15, 2021
CVE IDs:
CVE-2021-22665
Products:
9303 DriveTools SP
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Revision History
Revision Number
1.1

Executive Summary

Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to both Cognite and Claroty for their work discovering this vulnerability.

Affected Products

DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.

Vulnerability Details

CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.

CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
CVE-2021-22665 Apply DriveTools SP v5.14 or later Download).
Apply Drives AOP v4.13 or later (Download).

Customers using affected versions can reach out to their account manager or distributor to request a newer version.

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
 
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

 

High
PN1531 | PN1531 | 1794-AENT Flex I/O Series B Contains Multiple Denial of Service Vulnerabilities
Published Date:
February 02, 2021
Last Updated:
February 02, 2021
CVE IDs:
CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086
Products:
Flex I/O, 1794 Flex, 1794/5094 Distributed I/O
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History

November 4, 2020 - Version 1.1. Updated Vulnerability Details.


October 12, 2020 - Version 1.0. Initial Version.
Revision History
Revision Number
2.0
Revision History

February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.


Executive Summary

Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B  adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).

Vulnerability Details

CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerabilities Affected Products Suggested Mitigations
CVE-2020-6083
CVE-2020-6084
CVE-2020-6085
CVE-2020-6086
CVE-2020-6087
CVE-2020-6088		 1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier Version 2.0:
Apply firmware v4.004 (download).

Version 1.0:
It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818.

For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies

Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

Social Engineering Mitigation Strategies
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).

High
PN1545 | PN1545 | Modbus Vulnerability may lead to Denial-of-Service conditions in the MicroLogix 1400 Controller
Published Date:
January 28, 2021
Last Updated:
January 28, 2021
CVE IDs:
CVE-2021-22659
Products:
1766 MicroLogix 1400
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 28, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.

This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.

Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400, all series version 21.6 and below.

Vulnerability Details

CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.

CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

Risk Mitigation & User Action

Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
  • Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN794 | PN794 | RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability
Published Date:
January 25, 2021
Last Updated:
January 25, 2021
CVE IDs:
CVE-2014-0755
Products:
Logix Designer
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 – January 25, 2021 – Advisory updated for clarification.
Revision History
Revision Number
1.0
Revision History
Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.

Executive Summary

It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000® and Studio 5000 Logix Designer® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.


Affected Products

Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.

Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.

Vulnerability Details

CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.

CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N

Risk Mitigation & User Action

Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2014-0755 Risk Mitigation Strategy A:
For stronger protection, apply License Source Protection introduced in v26.

To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix
5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection

Risk Mitigation Strategy B:
In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:
  • Adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivates that contain protected content if these files may need to be found or potentially disposed of in the future.
  • Securely archive project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, store project files that use Source Key Protection in physical and logical locations where access can be controlled, and the files are stored in a protected and potentially encrypted manner.
  • Securely transmit project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, email stored project files that use Source Key Protection only to known recipients and encrypt the files such that only the target recipient can decrypt the content.
  • Restrict the physical network access to controllers containing password protected content only to authorized parties to help prevent unauthorized uploading of protected material in an ACD file. Note: For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a role-based access control solution to their system. FactoryTalk Security was integrated into RSLogix 5000 v10.00 and above.
  •  Adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain useable for an extended period or indefinitely.


IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.

For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.

General Security Guidelines

Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar allow list application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

High
PN1540 | PN1540 | FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities
Published Date:
January 22, 2021
Last Updated:
January 22, 2021
CVE IDs:
CVE-2020-5806, CVE-2020-5801, CVE-2020-5802, CVE-2020-5807
Products:
FactoryTalk Linx Gateway, FactoryTalk Services Platform, FactoryTalk Linx / RSLinx Enterprise
CVSS Scores:
7.5, 6.2, 4.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History

Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.


Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.


Version 1.0 - December 27, 2020. Initial Version.

Executive Summary

Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Vulnerability Affected Products
CVE-2020-5801 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5802 FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5806 FactoryTalk Linx versions 6.10, 6.11, and 6.20.
CVE-2020-5807 FactoryTalk Services Platform version 6.20 and earlier.

Vulnerability Details

CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Version 3.0: Correction
Vulnerability Suggested Actions
CVE-2020-5801
CVE-2020-5802		 Version 2.0: Apply patch found in BF26285.

Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 .
CVE-2020-5806 Version 3.0: Apply patch found in BF26287
CVE-2020-5807 For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID BF7490.
Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use Microsoft® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Social Engineering Mitigation Strategies
  • Do not open untrusted .ftd files with FactoryTalk Services Platform.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1113 | PN1113 | CVE-2020-0601 Impact to Rockwell Automation Products
Published Date:
January 20, 2021
Last Updated:
January 20, 2021
CVE IDs:
CVE-2020-0601
Products:
FactoryTalk Analytics for Devices, FactoryTalk Analytics LogixAI, 1756 ControlLogix I/O
CVSS Scores:
8.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 - January 20, 2021 - Updated Risk Mitigations and Recommended User Actions.
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020

Executive Summary

On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.

The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.

An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.

Affected Products

Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:

  • CompactLogix 5480 Controllers
  • FactoryTalk Analytics for Devices
  • FactoryTalk Analytics LogixAI
  • ControlLogix Compute Module (1756-CMS1B1)

Vulnerability Details

CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability

Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

  • Microsoft Assigned CVSSv3.0 Base Score: 8.1
  • Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Risk Mitigation & User Action

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

  • Compact Logix 5480 Controllers
  • ControlLogix Compute Module (1756-CMS1B1)

Microsoft released a patch for affected versions of Windows on January 14, 2020.
Patch via Windows Update Service or normal patching process.

CVE-2020-0601

  • FactoryTalk Analytics Logix AI

Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887.

Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

  • FactoryTalk Analytics for Devices

To reduce risk, customers should ensure they are employing proper network segmentation and security controls.
Specifically, network exposure for all control system devices should be minimized and control systems should be
behind firewalls and isolated from other networks when possible.
Refer to the Deploying a Resilient Converged Plantwide Ethernet Architecture Design and Implementation Guide.

Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.

Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
  • Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1548 | PN1548 | Allen-Bradley MicroLogix 1100 Programmable Logic Controller IPv4 Denial-of-Service Vulnerability
Published Date:
January 19, 2021
Last Updated:
January 19, 2021
CVE IDs:
CVE-2020-6111
Products:
1763 MicroLogix 1100
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 19, 2021. Iniital Release.

Executive Summary

Rockwell Automation received a report from the Cisco® Talos™ team, regarding a vulnerability in the Allen-Bradley® MicroLogix™ 1100 controller. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2020-6111: Improper Processing IPv4 Packets may result in Denial-of-Service Conditions
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.
Vulnerability Suggested Actions
CVE-2020-6111 Migrate to MicroLogix 1400 and apply firmware v21.006 or later.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware key mode setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.
General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).


ADDITIONAL LINKS

Medium
PN1542 | PN1542 | Side-Channel Issue on NXP 7x Secure Authentication Microcontrollers May Lead to ECC Key Extraction
Published Date:
January 14, 2021
Last Updated:
January 14, 2021
CVE IDs:
CVE-2021-3011
Products:
5069-L330ERMS2K, 5069-L340ERMS2, PowerFlex 6000, 5069-L3100ERS2, PowerFlex 755, 5069-L3100ERMS2, 5069-L306ERMS2, 2198 Kinetix 5700 Drive, iTRAK, 5069-L350ERMS2K, 5069-L320ERMS2K, 5069-L320ERMS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L320ERS2K, 5069-L350ERS2K, 5069 Compact GuardLogix 5380, 5069-L380ERMS2, PowerFlex 755T, 1756 ControlLogix, 5069-L350ERMS2, 5069-L380ERS2
CVSS Scores:
4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - January 14, 2021. Initial Release.

Executive Summary

A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation® products.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • 1756-EN2T
  • 1756-EN4T
  • 1756-EN4TR
  • ControlLogix® 5580 Series
    • 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
    • 1756-L81EP, -L83EP, -L85EP
    • 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
    • 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
  • GuardLogix 5580 Series
    • 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
    • 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
  • Compact GuardLogix® 5380 Series
    • 5069-L306ERMS2
    • 5069-L306ERMS3
    • 5069-L306ERS2
    • 5069-L3100ERMS2
    • 5069-L3100ERMS3
    • 5069-L3100ERS2
    • 5069-L310ERMS2
    • 5069-L310ERMS3
    • 5069-L310ERS2
    • 5069-L320ERMS2
    • 5069-L320ERMS2K
    • 5069-L320ERMS3
    • 5069-L320ERMS3K
    • 5069-L320ERS2
    • 5069-L320ERS2K
    • 5069-L330ERMS2
    • 5069-L330ERMS2K
    • 5069-L330ERMS3
    • 5069-L330ERMS3K
    • 5069-L330ERS2
    • 5069-L330ERS2K
    • 5069-L340ERMS2
    • 5069-L340ERMS3
    • 5069-L340ERS2
    • 5069-L350ERMS2
    • 5069-L350ERMS2K
    • 5069-L350ERMS3
    • 5069-L350ERMS3K
    • 5069-L350ERS2
    • 5069-L350ERS2K
    • 5069-L380ERMS2
    • 5069-L380ERMS3
    • 5069-L380ERS2
  • CompactLogix™ 5380 Series
    • 5069-L306ER
    • 5069-L306ERM
    • 5069-L310ER
    • 5069-L310ER-NSE
    • 5069-L310ERM
    • 5069-L320ER
    • 5069-L320ERM
    • 5069-L320ERMK
    • 5069-L320ERP
    • 5069-L330ER
    • 5069-L330ERM
    • 5069-L330ERMK
    • 5069-L340ER
    • 5069-L340ERM
    • 5069-L340ERP
    • 5069-L350ERM
    • 5069-L350ERMK
    • 5069-L380ERM
    • 5069-L3100ERM
  • 5069-AEN2TR
  • CompactLogix™ 5480 Series
    • 5069-L4100ERMW
    • 5069-L4200ERMW
    • 5069-L430ERMW
    • 5069-L450ERMW
    • 5069-L46ERMW
  • iTRAK® 5730 Small Frame
  • iTRAK 5750C
  • Kinetix® 5700 Series B - DAI, HPI, LFI, AFE
  • PowerFlex® 6000T
  • PowerFlex 755 TL
  • PowerFlex 755 TM
  • PowerFlex 755 TR

Vulnerability Details

CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Risk Mitigation & User Action

Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
•           Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
•           Providing training and communication to personnel to raise awareness of threats.
•           Implementing physical barriers such as locked cabinets.

Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

General Security Guidelines

General Mitigations
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

High
PN1541 | PN1541 | FactoryTalk AssetCentre affected by M and M Software fdtCONTAINER Remote Code Execution Vulnerability
Published Date:
January 11, 2021
Last Updated:
January 11, 2021
CVE IDs:
CVE-2020-12525
Products:
FactoryTalk AssetCentre
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
January 11, 2021. Initial Version.

Executive Summary

Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.

This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.

Vulnerability Details

CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Suggested Actions
 CVE-2020-12525
Deny access to PDC Field Edition. To do this, follow the steps below.


To deny access to PDC Field Edition:
  1. Open FactoryTalk Admin Console
  2. Select “System”
  3. Select “Policies”
  4. Select “FactoryTalk AssetCentre”
  5. Open “Feature Security Properties”
  6. Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
  7. Select the “Deny” Checkboxes for “Administrators” and “All Users”
  8. Select “OK”
  9. Select “Apply”

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

Software/PC-based Mitigation Strategies
  • Do not use standalone PDC Field Edition
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use Microsoft® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted files with FactoryTalk AssetCentre.
  • Do not click or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1539 | PN1539 | Vulnerabilities in the Kepware OPC UA server interface may lead to Denial-of-Service Conditions or Data Leak
Published Date:
December 17, 2020
Last Updated:
December 17, 2020
CVE IDs:
CVE-2020-27267, CVE-2020-27263
Products:
ThingWorx Industrial Connectivity, ThingWorx, Kepserver Enterprise
CVSS Scores:
7.5, 9.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - December 17, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.

Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions

Vulnerability Details


CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.

CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H


CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.

CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.

PTC recommends that users upgrade to the most current supported version.
Recommended User Actions
Base Version
Affected Product 6.6
 6.7 6.8 6.9
KEPServer Enterprise (Download) Apply version
6.6.550.0		 -- -- Apply version 6.9.584.0
Thingworx Kepware Server (Download) -- -- Apply version 6.8.839.0 Apply version 8.9.584.0
Thingworx Industrial Connectivity (Download) Apply version 8.4
(6.6.362.0)		 Apply version 8.5(6.7.1068) -- --

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).



ADDITIONAL LINKS

Critical
PN1536 | PN1536 | FactoryTalk® Linx® Affected by Multiple Denial-of-Service and Heap Overflow Vulnerabilities
Published Date:
November 24, 2020
Last Updated:
November 24, 2020
CVE IDs:
CVE-2020-27251, CVE-2020-27255, CVE-2020-27253
Products:
FactoryTalk Linx Gateway
CVSS Scores:
8.6, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - November 24, 2020. Initial Release.

Executive Summary

Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to Claroty for discovering this vulnerability.

Affected Products

FactoryTalk Linx v6.11 and earlier.

Vulnerability Details

CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to  send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).

CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N



Risk Mitigation & User Action


Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Details Recommended User Actions
CVE-2020-27253
CVE-2020-27251
CVE-2020-27255		 For FactoryTalk Linx v6.10 and v6.11
see Patch Answer ID BF25509

Additionally, the user could move to v6.20 which is available on the PCDC

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID QA17329.
  • Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1534 | PN1534 | Stratix 5700 HTTP Session Management Weakness
Published Date:
October 30, 2020
Last Updated:
October 30, 2020
Products:
Stratix 5700 Managed Switch
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - October 30, 2020. Initial Release.

Executive Summary

Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches –
  • All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.
Details

On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.

If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.

Risk Mitigation & User Action

As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.

If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.
  • Terminate the browser when finished – closing the tab or window is NOT enough

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
General Mitigations
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN923 | PN923 | Claims of ransomware masquerading as an Allen-Bradley Update
Published Date:
October 02, 2020
Last Updated:
October 02, 2020
Products:
Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, ProcessPak, Integration Manager, SOS, dsShopLib, RSLogix 500, Arena, Foundation Server, Shop Operations, Reporting (form based), RSView32 WebServer, Database, FactoryTalk ViewPoint, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Studio 5000 View Designer, 650R Non-Display Computers, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, Operator Certification, RSLogix 5, Live Transfer, 6181 Computers, 1450R Non-Display Computers, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSLogix Emulate 5, Build Utility, Shop Operation, Foundation Client, NCR/CAR/IQA, RSView32, FactoryTalk Activation, Purge, FactoryTalk Historian SE, WSIntegrate, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, Documentation, Activities, ETL, Historical Transfer, ECO, 6180 Computers with Keypad, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, Administration, 6155 Compact Computers, Production Execution Client, Installation, 6181X Hazardous Integrated Display, Dashboard, JD Edwards, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, Knowledge Installation, Sampling Plans, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Reports (Out-of-box), PlantMetrics, API, FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, Process Designer, Reports (Custom), Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, PlantPAx, Complaint Handling, Pavilion, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Claims of ransomware masquerading as an Allen-Bradley Update

Description

begin ignore



Version 2.0 - July 8th 2016

Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").

Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.

File Name Hash Type Hash Value
Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52
SHA-1 4dbba01786068426c032a7524e31668f2435d181
SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df
Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85
SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af
SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.

Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.

BACKGROUND

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.

According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".

CUSTOMER RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.

  • Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
  • Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
    • Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)
  • Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
  • Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
  • Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

end ignore

KCS Status

Released

Critical
PN1530 | PN1530 | FactoryTalk Activation Manager affected by CodeMeter Vulnerabilities
Published Date:
September 18, 2020
Last Updated:
September 18, 2020
CVE IDs:
CVE-2020-14517, CVE-2020-16233, CVE-2019-14519, CVE-2020-14519, CVE-2020-14515, CVE-2020-14509, CVE-2020-14513
Products:
FactoryTalk Activation
CVSS Scores:
7.4, 8.1, 9.4, 7.5, 10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
4.0
Revision History
Version 4.0 -- September 18, 2020. Update to reflect current mitigations. Updated links.
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.

Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.

Affected Products

FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.
  • Arena® software
  • Emonitor® software
  • FactoryTalk® AssetCentre software
  • FactoryTalk® Batch software
  • FactoryTalk® EnergyMetrix software
  • FactoryTalk® eProcedure® software
  • FactoryTalk® Gateway software
  • FactoryTalk® Historian Site Edition (SE) software
  • FactoryTalk® Historian Classic software
  • FactoryTalk® Information Server software
  • FactoryTalk® Metrics software
  • FactoryTalk® Transaction Manager software
  • FactoryTalk® VantagePoint® software
  • FactoryTalk® View Machine Edition (ME) software
  • FactoryTalk® View Site Edition (SE) software
  • FactoryTalk® ViewPoint software
  • RSFieldbus™ software
  • RSLinx® Classic software
  • RSLogix 500® software
  • RSLogix 5000® software
  • RSLogix™ 5 software
  • RSLogix Emulate 5000 software
  • RSNetWorx software
  • RSView®32 software
  • SoftLogix5800 software
  • Studio 5000 Architect® software
  • Studio 5000 Logix Designer® software
  • Studio 5000 View Designer® software
  • Studio 5000® Logix Emulate software

Vulnerability Details

CVE-2020-14509: Arbitrary Command Execution Due to Buffer Access with Incorrect Length Value of CodeMeter
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server

CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.

CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.

CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.

CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

Risk Mitigation & User Action

UPDATE (4.0)
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Currently Installed Suggested Actions
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509
CVE-2020-14519
CVE-2020-14515

 FactoryTalk Activation Manager v4.05.00 and earlier Update to version 4.05.01 of FactoryTalk Activation Manager. Select the FactoryTalk Activation Manager download from our website.

This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.

Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Currently Installed Suggested Actions
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509
CVE-2020-14519
CVE-2020-14515

 FactoryTalk Activation Manager v4.05.00 and earlier Update to version 7.10a of CodeMeter found on the Rockwell Automation PCDC, which is compatible with all supported versions of FTA.

This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.
Vulnerability Currently Installed Suggested Actions
CVE-2020-14519
CVE-2020-14515
 FactoryTalk Activation Manager v4.04.00 and earlier Update to FTA v4.05 or later and employ the general security guidelines.

For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center Standard Views > Software Latest Versions > FactoryTalk Activation
CVE-2020-14517
CVE-2020-16233
CVE-2020-14513
CVE-2020-14509		 FactoryTalk Activation Manager v4.04.00 and earlier Update to FTA v4.05 or later and employ the general security guidelines.

The default configuration of FTA v4.05 limits the vulnerable port, which mitigates these vulnerabilities. However, if CodeMeter is running a server, which can be turned on via FTA, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that any traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware key switch setting, to which may be used to block unauthorized changes, etc.
  • Utilize the new REST API instead of the internal WebSockets API
  • Disable the WebSockets API
General Mitigations
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN71
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1510 | PN1510 | FactoryTalk View SE Contains Multiple Vulnerabilities Found During Pwn2Own Competition
Published Date:
August 20, 2020
Last Updated:
August 20, 2020
CVE IDs:
CVE-2020-12027, CVE-2020-12028, CVE-2020-12029, CVE-2020-12031
Products:
FactoryTalk View SE
CVSS Scores:
7.5, 9.0, 7.3, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.2
Revision History
Version 2.2 - August 20, 2020 Links to additional detections
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).

Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro,  Radek Domanski, and Fabius Artrel.

As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk View SE all versions

Vulnerability Details

CVE-2020-12029: Code execution due to improper limitation of a pathname to a restricted directory
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).

CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284

CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270

CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283


CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.

CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk View SE are encouraged to apply the patch or deploy recommended built in security features that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Information Recommended User Actions
CVE-2020-12029 Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx
Apply patch BF25481
CVE-2020-12031 Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx
Apply patch found in BF25482
CVE-2020-12028
CVE-2020-12027		 This vulnerability is remediated by enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in QA46277 and QA59546 to set up IPSec and/or HTTPS, respectively.

Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).

Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted filed.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

Low
PN1509 | PN1509 | Studio 5000 Logix Designer XML External Entity (XXE) Vulnerability Found During Pwn2Own Competition
Published Date:
August 11, 2020
Last Updated:
August 11, 2020
CVE IDs:
CVE-2020-12025
Products:
Logix Designer
CVSS Scores:
3.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - August 11, 2020. Updated Recommended User Actions
Version 1.0 - July 8, 2020. Initial Version.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.

Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.

Affected Products

Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02.

Vulnerability Details

CVE-2020-12025: XXE Vulnerability Could Lead to Unauthorized Information Disclosure
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.

Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.

CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290

Risk Mitigation & User Action

Customers using the affected versions of Studio 5000 Logix Designer are encouraged to update to Studio 5000 Logix Designer version v32.03.
Vulnerability Information Recommended User Actions
 CVE-2020-12025
 Update to v32.03 of Logix Designer Studio 5000

Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.

General Security Guidelines

Social Engineering Mitigation Strategies
  • Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.
  • Do not open untrusted AML or RDF files within Studio 5000 Logix Designer.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1025 | PN1025 | CompactLogix / Compact GuardLogix 5370 Denial of Service
Published Date:
August 10, 2020
Last Updated:
August 10, 2020
CVE IDs:
CVE-2017-9312
Products:
Armor Compact Logix, Compact GaurdLogix 5370, CompactLogix 5370
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.3
Revision History
Version 1.3 / August 10, 2020 - Updated affected products and suggested actions.
Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release
Overview

A vulnerability exists in certain CompactLogix™ 5370 and Compact GuardLogix® 5370 programmable automation controllers that, if successfully exploited, may cause a Denial of Service (DoS) condition. These products are used to control processes across several industries, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation® has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Specific details of this vulnerability were disclosed publicly by researchers presenting at the ICS Cyber Security Conference in Singapore on April 25, 2018. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • CompactLogix 5370 L1 controllers, versions 30.014 and earlier, excluding version 28.015
  • CompactLogix 5370 L2 controllers, versions 30.014 and earlier, excluding version 28.015
  • CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
  • Armor CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
  • Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
  • Armor Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015

Vulnerability Details

This vulnerability may allow threat actor to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF) resulting in a Denial of Service (DoS) condition. An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation.

Alexey Perepechko of Applied Risk discovered this vulnerability in the 1769 Compact GuardLogix 5370 controllers. Rockwell Automation further investigated and discovered additional products affected by this vulnerability and they are included in this advisory.

This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

COMPACT GUARDLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a Compact GuardLogix controller, the safety task execution stops and CIP Safety I/O modules are placed into their safe state. All other I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

COMPACTLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

CVE-2017-9312 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (CVSS) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Product Type Product Family Catalog Numbers Suggested Actions
Small Controllers CompactLogix 5370 L1
CompactLogix 5370 L2
CompactLogix 5370 L3
Armor CompactLogix 5370 L3		 1769-L16ER-BB1B
1769-L18ER-BB1B
1769-L18ERM-BB1B
1769-L19ER-BB1B
1769-L24ER-QB1B
1769-L24ER-QBFC1B
1769-L27ER-QBFC1B
1769-L30ER
1769-L30ER-NSE
1769-L30ERM
1769-L33ER
1769-L33ERM
1769-L36ERM
1769-L37ERMO
 Apply FRN 28.015 or apply 31.011 or later.
Safety Controllers Compact GuardLogix 5370
Armor Compact GuardLogix 5370 L3
 1769-L30ERMS
1769-L33ERMS
1769-L36ERMS
1769-L37ERMS
1769-L38ERMS
1769-L33ERMOS
1769-L36ERMOS
 Apply FRN 28.015 or apply 31.011 or later.

Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.

General Security Guidelines

  1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  2. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

Critical
PN1525 | PN1525 | FactoryTalk Services Platform Improper User Password Hashing
Published Date:
July 30, 2020
Last Updated:
July 30, 2020
CVE IDs:
CVE-2020-14516
Products:
FactoryTalk Services Platform
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - July 30, 2020. Initial Release.

Executive Summary

A vulnerability exists in FactoryTalk® Services Platform that prevents user passwords from being hashed properly. This vulnerability, if successfully exploited, may allow attackers to access and modify configuration and application data. This vulnerability only impacts native FactoryTalk Security users, not Windows® linked users.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.10.00 and 6.11.00.

Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see Knowledgebase QA5266 for additional details.

Vulnerability Details

CVE-2020-14516: Improper Implementation of Hashing Algorithm for User Passwords
There is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform 6.10 and 6.11 that prevents the user password from being hashed properly. A successful exploit could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console and this new user would allow the attacker to modify or delete configuration and application data in other FactoryTalk software connected to FactoryTalk Services Platform.

CVSS v3.0 Base Score: 10.0/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
Product Family Suggested Actions
FactoryTalk Services Platform Follow the guidance provided in Knowledgebase Article ID: BF10207 in order to patch (link).

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privileged user principle is followed, and the user/service account access to shared resources (such as a database) is only granted with the minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1515 | PN1515 | FactoryTalk View SE Credential Disclosure Vulnerabilities
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14480, CVE-2020-14481
Products:
FactoryTalk View SE
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Ilya Karpov and Evgeny Druzhinin who are part of the independent research team, ScadaX Security. They reported two vulnerabilities in FactoryTalk® View Site Edition (SE) software, which if successfully exploited, may result in the disclosure of Windows® Logon credentials (via the DeskLock software) or FactoryTalk View SE user credentials.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE-2020-14480: FactoryTalk View SE versions 9.0 and earlier.
CVE-2020-14481: FactoryTalk View SE version 10.0.

Vulnerability Details

CVE-2020-14480: Cleartext Storage of Sensitive Information in Memory

A local, authenticated attacker may have access to certain credentials, including Windows Logon credentials, as a result of usernames/passwords being stored in plaintext in Random Access Memory (RAM).

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14481: Use of a Weak Algorithm for Password Protection

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of DeskLock provided with FactoryTalk View SE are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Catalog Numbers CVE # Suggested Actions
FactoryTalk View SE 9701-VWSx CVE-2020-14480 Download v10.0 or later.
FactoryTalk View SE 9701-VWSx CVE-2020-14481 Download v11.0 or later.

General Security Guidelines

GENERAL SECURITY GUIDELINES
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1516 | PN1516 | FactoryTalk Services Platform XXE Vulnerability
Published Date:
June 25, 2020
Last Updated:
June 25, 2020
CVE IDs:
CVE-2020-14478
Products:
FactoryTalk Services Platform
CVSS Scores:
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from researchers at Applied Risk regarding a vulnerability in versions of FactoryTalk® Services Platform which if successfully exploited, could lead to a denial-of-service (DoS) condition and to the arbitrary reading of any local file via system-level services.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.11.00 and earlier.

Nearly all FactoryTalk® software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see QA5266 for additional details.

Vulnerability Details

CVE-2020-14478: Weakly Configured XML Parser
A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML parser to access local or remote content. A successful exploit could potentially cause a denial-of-service (DoS) condition and allow the attacker to arbitrarily read any local file via system-level services. The details of this file could then be forwarded to the attacker.

CVSS v3.0 Base Score: 8.4/HIGH

CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.
Product Family Suggested Actions
FactoryTalk Services Platform Download patch for 6.11 (Download)

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329 .
  • Ensure that the least-privileged user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index..

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).


ADDITIONAL LINKS

Critical
PN1507 | PN1507 | FactoryTalk Linx Affected by Multiple Vulnerabilities
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-11999, CVE-2020-12005, CVE-2020-12003, CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
7.5, 9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 11, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities due to exposed system internals’ in FactoryTalk® Linxvsoftware. These vulnerabilities, if successfully exploited, may result in arbitrary code execution, information exposure, or denial-of-service conditions.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

  • FactoryTalk Linx software versions 6.00, 6.10, and 6.11
The following products utilize FactoryTalk Linx:
  • Connected Components Workbench™ software v12 and earlier
  • ControlFLASH Plus™ software v1 and later
  • ControlFLASH™ software v14 and later
  • FactoryTalk Asset Centre software v9 and later
  • FactoryTalk Linx CommDTM software v1 and later
  • Studio 5000® Launcher software v31 and later
  • Studio 5000 Logix Designer® software v32 and earlier

Vulnerability Details

CVE-2020-11999: Arbitrary code execution due to API abuse
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
CVE Products Affected Mitigation
CVE-2020-11999
CVE-2020-12001
CVE-2020-12003
CVE-2020-12005
  • Connected Components Workbench v12 and earlier
  • ControlFLASH Plus v1 and later
  • ControlFLASH v14 and later
  • FactoryTalk Asset Centre v9 and later
  • FactoryTalk Linx CommDTM v1 and later
  • FactoryTalk Linx software(Previously called RSLinx Enterprise) versions 6.00, 6.10, and 6.11
  • Studio 5000 Launcher v31 and later
  • Studio 5000 Logix Designer v32 and earlier

 Customers are encouraged to apply these patches by following instructions in Knowledgebase articles below:
  • Patch Roll-up fo CPR9. Knowledgebase Article ID: QA49264
  • FactoryTalk Knowledge Linx/Services patch. Knowledgebase Article ID: BF24810
  • FactoryTalk Linx patch. Knoweldgebase Article ID: BF25509

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products
  • Block all traffic to EtherNet/IP™ devices or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.

General Mitigations
  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1511 | PN1511 | FactoryTalk Linx Path Traversal Vulnerability Found During Pwn2Own Competition
Published Date:
June 24, 2020
Last Updated:
June 24, 2020
CVE IDs:
CVE-2020-12001
Products:
FactoryTalk Linx Gateway
CVSS Scores:
9.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.1
Revision History
Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.

Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

  • FactoryTalk® Linx software (previously called RSLinx® Enterprise) versions 6.00, 6.10, and 6.11
The following products utilize FactoryTalk Linx:
  • Connected Components Workbench v12 and earlier
  • ControlFLASH™ Plus v1 and later
  • ControlFLASH™ v14 and later
  • FactoryTalk® Asset Centre v9 and later
  • FactoryTalk® Linx CommDTM v1 and later
  • Studio 5000® Launcher v31 and later
  • Studio 5000 Logix Designer® v32 and earlier

Vulnerability Details

CVE-2020-12001: Arbitrary code execution due to directory traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298

Risk Mitigation & User Action

Customers using the affected products are encouraged to apply the patch that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
Vulnerability Information Recommended User Actions

CVE-2020-12001		 Customers are encouraged to apply these patches by following instructions in Rockwell Automation Knowledgebase articles below:

General Security Guidelines

Software/PC-based Mitigation Strategies
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted files.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).


ADDITIONAL LINKS

High
PN1512 | PN1512 | FactoryTalk Services Platform Vulnerable to Arbitrary COM Instantiation During Pwn2Own Competition
Published Date:
June 18, 2020
Last Updated:
June 18, 2020
CVE IDs:
CVE-2020-12033
Products:
FactoryTalk Services Platform
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 18, 2020. Initial Version

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of a service, which can instantiate a COM object on the affected machine.

Special thanks to researchers at Claroty for submitting this vulnerability through the Pwn2Own competition.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform - All versions

Vulnerability Details

CVE-2020-12033: Arbitrary COM object instantiation due to lack of data validation

FactoryTalk Services Platform redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges.

CVSS v3.1 Base Score: 7.5/HIGH
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10299

Risk Mitigation & User Action

Customers are encouraged to use Rockwell Automation Knowledgebase article QA5266 to determine if FactoryTalk Services Platform is installed. Those using the affected software are directed towards risk mitigation by enabling built-in security features found within FactoryTalk Services platform. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index technote to stay notified.
Vulnerability Information Recommended User Actions



CVE-2020-12033


This vulnerability is mitigated by implementing a secure communication strategy following the guidance outlined in Rockwell Automation Knowledge article QA46277.

General Security Guidelines

Software/PC-based Mitigation Strategies

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies
  • Do not open untrusted filed.
  • Do not click on or open URL links from untrusted sources.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1084 | PN1084 | Multiple Vulnerabilities in Arena Simulation Software
Published Date:
June 08, 2020
Last Updated:
June 08, 2020
CVE IDs:
CVE-2019-13527, CVE-2019-13510, CVE-2019-13519, CVE-2019-13511, CVE-2019-13521
Products:
Arena
CVSS Scores:
7.8, 8.6, 3.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - August, 1 2019. Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - September 19, 2019. Updated Vulnerability Reports.
Revision History
Revision Number
1.2
Revision History
Version 1.2 - June 8, 2020. Updated Vulnerability Reports.

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.

Successful exploitation of these vulnerabilities relies on a social engineering attack.

Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

Affected Products

Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.

Vulnerability Details

CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
CVE ID ZDI Report ID
CVE-2019-13510 ZDI-CAN-8012
ZDI-CAN-8013
ZDI-CAN-8015
ZDI-CAN-8016
ZDI-CAN-8017
ZDI-CAN-8060
ZDI-CAN-8062
ZDI-CAN-8096
ZDI-CAN-8174
ZDI-CAN-8600
ZDI-CAN-8623
ZDI-CAN-8624
ZDI-CAN-8683
ZDI-CAN-10129
ZDI-CAN-10186
ZDI-CAN-10373
ZDI-CAN-10374
ZDI-CAN-10470
ZDI-CAN-10554
ZDI-CAN-10555
ZDI-CAN-10556
ZDI-CAN-10557
ZDI-CAN-10559


CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.

CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
CVE ID ZDI Report ID
CVE-2019-13511 ZDI-CAN-8014

CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13519 ZDI-CAN-8175

CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13521 ZDI-CAN-8134

CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13527 ZDI-CAN-8682

Risk Mitigation & User Action

Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

  1. Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).

  2. Do not open untrusted .doe files with Arena® Simulation Software.
  3. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  4. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
  7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

General Security Guidelines

High
PN1503 | PN1503 | EDS Subsystem Affected by Multiple Vulnerabilities
Published Date:
May 19, 2020
Last Updated:
May 19, 2020
CVE IDs:
CVE-2020-12038, CVE-2020-12034
Products:
Software, Logix Designer, RSNetWorx, FactoryTalk Linx Gateway, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, RSLogix 5000 / Studio 5000 Logix Designer
CVSS Scores:
8.2, 6.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - May 19, 2020.  Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities in the parsing and storing of Electronic Datasheet (EDS) files in Rockwell Automation® software products. These vulnerabilities, if successfully exploited, may result in code injection and denial-of-service conditions

EDS files are text files that allow product-specific information to be made available to third-party vendors by Rockwell Automation. These files define a device's configurable parameters and the public interfaces to those parameters for identification and commissioning.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

  • FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
  • RSLinx® Classic v4.11.00 and earlier
  • RSNetWorx™ software v28.00.00 and earlier
  • Studio 5000 Logix Designer® software v32 and earlier

Vulnerability Details

CVE-2020-12034: SQL injection due to improper input sanitization
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 8.2/10[HIGH]
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CVE-2020-12038: Denial-of-service conditions due to memory corruption in parsing/storage of EDS files
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object leading to denial-of-service (DoS) conditions. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE Products Affected Mitigation
CVE-2020-12034
CVE-2020-12038
  • FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
  • RSLinx® Classic v4.11.00 and earlier
  • RSNetWorx™ software v28.00.00 and earlier
  • Studio 5000 Logix Designer® software v32 and earlier
 Apply patch by following the instructions in knowledgebase article RAid 1125928.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

  • Block all traffic to EtherNet/IP™ or other CIP™protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Port#s 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

General Mitigations

  • Locate control system networks and devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

High
PN1502 | PN1502 | OSIsoft PI System Vulnerabilities Affect Multiple Rockwell Automation Software Products
Published Date:
May 12, 2020
Last Updated:
May 12, 2020
CVE IDs:
CVE-2020-10608, CVE-2020-10606, CVE-2020-10645, CVE-2020-10600, CVE-2020-10610
Products:
FactoryTalk VantagePoint, FactoryTalk View SE, FactoryTalk Historian SE, PlantPAx, ThingWorx Connection Server
CVSS Scores:
7.8, 8.0, 5.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
2.0
Revision History
Version 2.0 - October, 13, 2020. Updated risk mitigations and recommended user actions.
Version 1.0 - May 12, 2020.  Initial Release.

Executive Summary

OSIsoft reported five vulnerabilities in PI System, a real-time data collection and visualization software, to Rockwell Automation. PI System software is used in multiple Rockwell Automation® software products. These vulnerabilities if successfully exploited, may result in privilege escalation, information disclosure or a denial-of-service condition.

Not every PI System vulnerability applies to each impacted product. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding PI System vulnerability.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product CVE-2020-10610 CVE-2020-10608 CVE-2020-10606 CVE-2020-10600 CVE-2020-10645
FactoryTalk® View SE software version 11.00.00 and earlier X X X
FactoryTalk® VantagePoint® software version 8.10.00 and earlier X X X
FactoryTalk Historian - ThingWorx Connector software version 3.00.00 X X X
FactoryTalk Historian SE software version 6.00.00 and earlier X X X X
PlantPAx® DCS software (including Virtual Templates) version 4.60.00 and earlier X X X
FactoryTalk ProcessBook software version 3.60.00 and earlier X X X X
FactoryTalk Datalink software version 5.30.00 and earlier X X X
FactoryTalk Historian SE to Historian SE (SE2SE) Interface software version 3.08.07 and earlier X X X
FactoryTalk Historian SE Interface for Universal File Loader software version 3.01.02 and earlier X X X
FactoryTalk Historian SE Interface for ODBC (RDBMS) software version 3.20.06 and earlier X X X
FactoryTalk Historian Batch Interface software version 1.00.20 and earlier X X X
FactoryTalk Historian Event Frames Generator (PE EFGen) software version 4.00.25 and earlier X X X
FactoryTalk Historian SE Advance Server software version 6.00.00 and earlier X X X
FactoryTalk Historian SE third-party OLEDB Connectivity software version 4.00.00 and earlier X X X
FactoryTalk Historian SE third-party OPC Connectivity software version 4.00.00 and earlier X X X

Vulnerability Details

OSISoft provided the vulnerability details in their security advisory.

CVE-2020-10610: Local Privilege Escalation via Uncontrolled Search Path Element
A local attacker can modify a search path and plant a binary to exploit the affected PI System software and take control of the local computer at system level privileges, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.c

CVE-2020-10608: Local Privilege Escalation via Improper Verification of Cryptographic Signature
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. Exploitation can target another local user of the software to escalate privilege, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10606: Local Privilege Escalation via Incorrect Default Permissions
A local attacker can exploit incorrect permissions set by affected PI System software. Exploitation can result in unauthorized disclosure, deletion, or modification if the local computer also processes PI System data from other users such as a shared workstation or terminal server deployment.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10600: Null Pointer Dereference may cause Denial-conditions
A remote, authenticated attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive and may cause denial-of-service conditions.

CVSS v3 Base Score: 5.9/10 (MEDIUM)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H.

CVE-2020-10645: Use of Out-of-range Pointer Offset may lead to Remote Code Execution
A remote, authenticated attacker could embed malicious content in the display file of the impacted software product. When opened by an affected version, the attacker could read, write and execute code on the computer with the impacted software in the context of the current user.

CVSS v3 Base Score: 8.0/10 (HIGH)*
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

* Note: OSIsoft calculated the Temporal CVSS metrics for this vulnerability, which brings the score to a 6.4/10 (MEDIUM)

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates and user guidance as these fixes become available. Please subscribe to security updates to this advisory and the Industrial Security Index (Knowledgebase PN1354) to stay notified.

Customers currently using any of the affected software are encouraged to take the following actions:

v2.0 - Update:

Product CVE Identifiers Suggested Action
FactoryTalk® View SE software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v12.00.00 or later.
FactoryTalk Historian SE CVE-2020-10600
CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
PlantPAx® DCS software (including Virtual Templates) CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v5.00 or later.
FactoryTalk ProcessBook software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610
CVE-2020-10645		 Download v3.70.01 or later.
FactoryTalk Datalink software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v5.50.02 or later.
FactoryTalk Historian SE Interface for Universal File Loader software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v3.60.07 or later.
FactoryTalk Historian SE Interface for ODBC (RDBMS) software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v3.24.05 or later.
FactoryTalk Historian Event Frames Generator (PE EFGen) software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v4.00.40 or later.
FactoryTalk Historian SE Advance Server software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
FactoryTalk Historian SE third-party OLEDB Connectivity software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.
FactoryTalk Historian SE third-party OPC Connectivity software CVE-2020-10606
CVE-2020-10608
CVE-2020-10610		 Download v7.00.00 or later.

v1.0 - Initial Release:
Customers currently using any of the affected software that is not listed in the table above are encouraged to take the following actions:

Vulnerability Identifier Suggested Actions
CVE-2020-10610
  • Work with your IT administrator to manage permissions on HKLMSoftwarePISystem and HKLMSoftwareWOW6432NodePISystem registry keys to block a high impact exploit path.
  • Monitor the above keys and the following folder: ProgramDataPISystem for any unauthorized changes
  • See Knowledgebase ID QA59280 for details on setting registry permissions.
  • See Knowledgebase ID QA59281 for details on monitoring the registry.
CVE-2020-10608
  • Restrict network connections from PI client workstations to trusted AF servers (TCP port 5457)
CVE-2020-10606
  • Evaluate and disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server)
  • By default, buffering is not configured. If buffering is configured, the preferred method of authentication is to use Windows Authentication for the connection from the Buffer to the Historian.
  • See Knowledgebase ID QA59282 to check whether PI Buffering is enabled.
CVE-2020-10600
  • Limit console and remote desktop logon access to authorized administrators for normally unattended PI System servers and interface nodes.
CVE-2020-10645
  • Delete lfmngu.dll from %PIHOME%Procbook directory (typically C:Program Files (x86)Rockwell SoftwareFactoryTalk HistorianPIPCProcbook or C:Program Files (x86)PIPCProcbook).
  • The third-party library is not needed for supported PI ProcessBook features.
  • See Knowledgebase Document ID QA56969 for other possible default installation paths.

General Security Guidelines

  • Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
  • (CVE-2020-10610 & CVE-2020-10608) Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links

Critical
PN1500 | PN1500 | FactoryTalk Activation Affected by Sentinel LDK Vulnerabilities
Published Date:
April 23, 2020
Last Updated:
April 23, 2020
CVE IDs:
CVE-2017-12819, CVE-2019-8282, CVE-2017-11497, CVE-2017-11496, CVE-2017-12818, CVE-2017-11498, CVE-2017-12821, CVE-2017-12822, CVE-2019-8283, CVE-2017-12820
Products:
FactoryTalk Activation
CVSS Scores:
7.5, 9.9, 9.8, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 / April 23, 2020 - Initial Release

Executive Summary

Kaspersky, a cybersecurity company, alerted Rockwell Automation of ten vulnerabilities in the hasplms service that is part of Gemalto’s HASP SRM, Sentinel HASP, and Sentinel LDK products. FactoryTalk® Activation provides the user a way to install the Sentinal LDK Runtime Environment. The Sentinal LDK Runtime Environment allows the installation of the necessary drivers to use Flexera dongles. Customers who are not using Flexera dongles to store activations would not be impacted by these vulnerabilitites.

These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Activation Manager v4.03.11 and below
  • Includes Sentinal LDK Runtime Environment v7.50

Vulnerability Details

CVE-2017-12822: Remote Code Execution (RCE) via Admin Interface
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.

CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.

CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Activation are encouraged to update to FactoryTalk Activation version 4.04.00 or greater. This version addresses the associated risk and uses a version of Sentinel LDK Runtime Environment with no known vulnerabilities associated with it at time of publication.

General Security Guidelines

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, refer to Knowledgebase Article ID 898270.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar Whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1498 | PN1498 | Current Program Updater Vulnerable to Privilege Escalation
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2017-5176
Products:
Current Program Updater v1.1.0.7
CVSS Scores:
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, regarding a file permission vulnerability affecting several Dynamic Link Library (DLL) files added during installation of the Current Program Updater software. If successfully exploited, this vulnerability may allow a local attacker to escalate privileges on the targeted PC to gain system administrative control.

Current Program Updater is installed with the Product Selection Toolbox™ suite along with other toolkits. For a full list, please see the affected products below.

Affected Products

Current Program Updater v1.1.0.7 and earlier.

The following tools use the affected version of Current Program Updater:

  • Batch Accelerator Toolkit v1.0.0.0
  • CENTERLINE® 2500 Global Production v1.0.4.0 and earlier
  • CENTERLINE Builder v3.19.0829.02
  • Computer Numerical Control (CNC) Accelerator Toolkit v0.0.0.0
  • Connected Components Accelerator Tool Kit v1.1.0.0 to v3.4.0.0
  • Connected Components Workbench™ software (CCW) v11 and earlier
  • Drives & Motions Accelerator Toolkit v1.0.0.0
  • Energy Management Accelerator Toolkit v3.0.0.0 and earlier
  • PowerOne v1.51.55 and earlier
  • Product Selection Toolbox Suite:
    • CrossWorks™ v4.3.0.11 and earlier
    • Integrated Architecture® Builder v9.7.9.1 and earlier
    • MCSStar v5.1.0.7
    • ProposalWorks™ v10.0.7185.14602 and earlier
    • Product Selection Toolbox Installer v.18.09.x and earlier
    • Prosafe® Builder v1.1.0.0 and earlier
    • Safety Automation Builder® v3.1.0.2 and earlier
    • User-Defined Devices v1.6.0.12 and earlier
  • Safety Accelerator Toolkit v6.0.0.0 and earlier
  • Water Wastewater Accelerator Toolkit v3 and earlier

Vulnerability Details

CVE-2017-5176: File Permission Vulnerability Leading to Privilege Escalation
A local, authenticated attacker could write to several directories containing Dynamic Load Library (DLL) files that execute with system level privilege. These DLL files inherit the properties of these directories, meaning DLL files that run at the system level can be written to by a normal user and lead to an escalation of privileges. Certain registry keys were also found to be writeable to normal users.

A CVSS v3 base score of 7.0/High has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers currently using any of the affected tools are encouraged to take the following actions:

  1. Existing customers using affected versions of the tools should update to the newest version of the tools. Existing users can do this by running an update in Current Program Updater. New users can do this by accepting and running the Current Program Updater update offered immediately during installation. After the tool runs, it will apply the most recent version of Current Program Updater as well as the most recent version of the tools currently installed. Fixed versions of toolkits will no longer allow the toolkits to make changes to the access controls of files and registry keys.
  2. Work with your IT administrators to ensure that the following files and registry keys have the correct access control permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed.
Toolkit Impacted Registry Keys or Files
All Tools C:WindowsSysWOW64raise.dll
C:WindowsSysWOW64SSPodt.exe
HKEY_CLASSES_ROOTRAISE
Batch Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsBatch
CENTERLINE 2500 Global Product Configuration Builder HKEY_CLASSES_ROOTRAISEInstalled ComponentsInstalled ComponentsEST_Adv
CENTERLINE Builder HKEY_CLASSES_ROOTRAISEInstalled ComponentsCENTERLINEBuilder
CNC Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsCMAT
Connected Components Accelerator Tool Kit HKEY_CLASSES_ROOTRAISEInstalled ComponentsCCAT
Current Program Updater HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
Drives and Motion Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_DMAT
Energy Management Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_EMAT
Product Selection Toolbox Suite HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
&Safety Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalledComponentsSimp_SafetyGuardLogix
Water Wastewater Accelerator Toolkit HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_WWWAT
  1. If a toolkit has been installed to a custom directory, customers are encouraged to identify what other directories may have had the access level privileges modified by the toolkits and work with their IT administrator to ensure the directories have the correct level of permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed. To identify these directories, customers can review the list at the following registry key:

    HKEY_CLASSES_ROOTRAISEInstalled Components

The following toolkits are considered End of Life (EOL):

Product Family Suggested Actions
Connected Components Accelerator Tool Kit
Drives & Motions Accelerator
CNC Accelerator Toolkit
Safety Accelerator Toolkit
Energy Management Accelerator Toolkit
Water Wastewater Accelerator Toolkit		 Customers are encouraged to discontinue use of these toolkits and uninstall if possible and follow the remediation steps outlined above.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLockeror other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN1499 | PN1499 | RSLinx Classic Privilege Escalation Vulnerability
Published Date:
April 09, 2020
Last Updated:
April 09, 2020
CVE IDs:
CVE-2020-10642
Products:
RSLinx Classic (Single Node
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from the researcher William Knowles at Applied Risk regarding a vulnerability in RSLinx® Classic software, which if successfully exploited, could allow an authenticated attacker to gain elevated or SYSTEM level privileges.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

RSLinx versions 4.11.00 and earlier.

Vulnerability Details

CVE-2020-10642: Privilege Escalation via Weak Registry Key Permissions
An authenticated, local attacker could modify the registry key, which could lead to the execution of malicious code when RSLinx Classic was opened. The code would run under the same system privileges as RSLinx and therefore, could be used for privilege escalation.

CVSS v3.0 Base Score: 8.8/HIGH
CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of RSLinx Classic are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Suggested Actions
RSLinx Classic Apply Patch 1091155 (Download). The patch can be applied to v3.60 to v4.11, but customers are encouraged to apply the most recent version of RSLinx Classic.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical
PN1027 | PN1027 | Stratix 5950 Contains Multiple Vulnerabilities
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0228, CVE-2018-0296, CVE-2018-0227, CVE-2018-0231, CVE-2018-0240
Products:
Stratix 5950 Security Appliance
CVSS Scores:
7.5, 10.0, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - June 21, 2018.  Initial Release.
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 07, 2020.  Updates to mitigations and other languages.

Introduction

Stratix 5950 Client Certificate Bypass and Denial of Service Vulnerabilities

Description

Executive Summary

Cisco Systems, Inc. (“Cisco”) has released advisories detailing multiple vulnerabilities in Cisco Adaptive Security Appliance (“ASA”) Software that, if successfully exploited, could potentially allow a threat actor to bypass client certification to create connections to the affected device, cause an affected device to crash, or allow a threat actor to view potentially sensitive data on a device. The Allen-Bradley® Stratix® 5950 uses Cisco ASA software as its central operating system; this enables the security device to offer capabilities that include providing proactive threat defense for industrial control systems.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley® Stratix® 5950 Security Appliance
(Cisco Adaptive Security Appliance v9.6.2 and earlier)

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

Vulnerability #1: Flow Creation Denial of Service Vulnerability
A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system.

The vulnerability is due to incorrect handling of an internal software lock that could prevent other system processes from getting CPU cycles, causing a high CPU condition. A threat actor could exploit this vulnerability by sending a steady stream of malicious IP packets that can cause connections to be created on the targeted device. A successful exploit could allow the threat actor to exhaust CPU resources, resulting in a DoS condition during which traffic through the device could be delayed. This vulnerability applies to either IPv4 or IPv6 ingress traffic either to or across an affected device.

CVE-2018-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to establish an SSL VPN connection and bypass certain SSL certificate verification steps.

The vulnerability is due to incorrect verification of the SSL Client Certificate. A threat actor could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the threat actor to establish an SSL VPN connection to the ASA when the connection should have been rejected.

CVE-2018-0227 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Vulnerability #3: Transport Layer Security Denial of Service Vulnerability
A vulnerability in the Transport Layer Security (TLS) library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of the affected device resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of user-supplied input. A threat actor could exploit this vulnerability by sending a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) services on an affected device. Messages using SSL Version 3 (SSLv3) or SSL Version 2 (SSLv2) cannot be be used to exploit this vulnerability. An exploit could allow the threat actor to cause a buffer underflow, triggering a crash on an affected device.

CVE-2018-0231 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4 Application Layer Protocol Inspection Denial of Service Vulnerabilities
Multiple vulnerabilities in the Application Layer Protocol Inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerabilities are due to logical errors during traffic inspection. A threat actor could exploit these vulnerabilities by sending a high volume of malicious traffic across an affected device. An exploit could allow the threat actor to cause a deadlock condition, resulting in a reload of an affected device.

CVE-2018-0240 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: Web Services Denial of Service or Potential Sensitive Information Disclosure
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but a threat actor could view sensitive system information without authentication by using directory traversal techniques.

The vulnerability is due to lack of proper input validation of the HTTP URL. A threat actor could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the threat actor to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

CVE-2018-0296 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the Stratix 5950 per the table below:

Vulnerability Suggested Actions
#1: Flow Creation Denial of Service Vulnerability
#2: Virtual Private Network SSL Client Certificate Bypass Vulnerablity
#3: Transport Layer Security Denial of Service Vulnerability
#4: Application Layer Protocol Inspection Denial of Service Vulnerabilities
#5 Web Services Denial of Service or Potential Sensitive Information Disclosure		 Apply FRN v6.4.0 (Download)

Secondary Mitigations include the following:

  • #1: Flow Creation Denial of Service Vulnerability: The ASA and FTD configuration commands, set connection per-client-embryonic-max (TCP) and set connection per-client-max (TCP, UDP, and Stream Control Transmission Protocol {SCTP}), can be configured to limit the number of connection requests allowed. Using these configuration parameters can reduce the number of connections and greatly reduce the impact of the DoS attack.
  • #5 Web Services Denial of Service or Potential Sensitive Information Disclosure: Cisco has released Snort Rule 46897.

General Security Guidelines

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security)

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

High
PN1046 | PN1046 | Stratix 5950 Denial of Service Vulnerability
Published Date:
April 07, 2020
Last Updated:
April 07, 2020
CVE IDs:
CVE-2018-0472
Products:
Stratix 5950 Security Appliance
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 04, 2019.  Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - April 7, 2020.  Updates to mitigations.

Introduction

Stratix 5950 Denial of Service Vulnerability

Description

Executive Summary

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. One of these vulnerabilities affects the following Allen-Bradley Stratix® product:

  • Allen-Bradley Stratix 5950 Security Appliance

Affected Products

Allen-Bradley Stratix 5950 Security Appliance

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

Cisco Adaptive Security Appliance (ASA) IPsec Denial of Service

A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to improper processing of malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.

NOTE: IPsec is disabled by default in the Allen-Bradley Stratix 5950 devices.

The security disclosure from Cisco for their IOS XE and Cisco ASA 5500-x Series is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec.

CVE-2018-0472 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Suggested Actions

Stratix 5950 Security Appliance

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9
 Apply FRN v6.4.0 (Download)

General Security Guidelines

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
  3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Medium
PN1100 | PN1100 | Stratix 5950 Secure Boot Hardware Tampering Vulnerability
Published Date:
March 10, 2020
Last Updated:
March 10, 2020
CVE IDs:
CVE-2019-1649
Products:
__productNames
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
Revision 1.0
Revision History
March 10, 2020.  Initial Release.

Executive Summary

Cisco Systems, Inc. (Cisco) released an advisory regarding a vulnerability in the logic that handles access control to a hardware component in Cisco’s proprietary Secure Boot implementation. If successfully exploited, an attacker could write a modified firmware image to the component. The Allen-Bradley® Stratix® 5950 utilizes Cisco’s proprietary Secure Boot implementation.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley Stratix 5950 Security Appliance:

  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9

Vulnerability Details

CVE-2019-1649: Cisco Secure Boot Hardware Tampering
A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write their own modified firmware image to the affected component.

The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system running on the affected device could utilize this vulnerability to write a modified firmware image to the FPGA. A successful exploit could cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.

The security disclosure from Cisco regarding their Secure Boot implementation is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Vulnerability Product Suggested Actions
CVE-2019-1649 Stratix 5950 Security Appliance
  • 1783-SAD4T0SBK9
  • 1783-SAD4T0SPK9
  • 1783-SAD2T2SBK9
  • 1783-SAD2T2SPK9
 Apply FRN v6.4.0 (Download)

General Security Guidelines

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
  3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical
PN1411 | PN1411 | MicroLogix Controllers, RSLogix 500 Software Contains Multiple Vulnerabilities Affecting Confidentiality
Published Date:
March 05, 2020
Last Updated:
March 05, 2020
CVE IDs:
CVE-2020-6980, CVE-2020-6990, CVE-2020-6988, CVE-2020-6984
Products:
RSLogix 500
CVSS Scores:
4.0, 5.9, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
Version 1.0
Revision History
March 05, 2020 - Intitial release.

Executive Summary

A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.

Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions

MicroLogix 1100 Controllers
All versions

RSLogix 500® Software
V12.001 and earlier

Vulnerability Details

CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Acknowledgements:

CVE# Discovery Attribution
CVE-2020-6990 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.
CVE-2020-6984 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6988 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.  Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6980 Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.

Risk Mitigation & User Action

Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.

Product Catalog Numbers Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988 Suggested actions for CVE-2020-6980
MicroLogix 1400 controllers, Series B 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA		 Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature. Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download).  Use the Enhanced Password Security feature.
MicroLogix 1400 controllers, Series A 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA		 No direct mitigation. No direct mitigagion.
MicroLogix 1100 controllers. 1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD		 No direct mitigation. No direct mitigation.
RSLogix 500® software R324-RL0x Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices.  Use the Enhanced Password Security feature.

Other configurations, no direct mitigation.		 No direct mitigation.

General Security Guidelines

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  2. Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  3. Locate control system networks and devices behind firewalls and isolate them from the business network.
  4. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  7. Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
  8. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links:

PN359 | PN359 | Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756-L72, L73, L74, L75 , 1789 SoftLogi PC
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)

Description

Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.

As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.

Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.

As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.

The following Rockwell Automation products currently authenticate firmware using digital signatures:

  • ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
  • Virtual firmware of the 1789 SoftLogix PC based controllers

For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

  1. Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
  2. Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  3. Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
  4. Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
  5. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
  6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.

Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:

  1. Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
  2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.

KCS Status

Flagged - Formatting

PN391 | PN391 | ControlLogix 1756-ENBT/A Ethernet/IP Bridge - Potential Security Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1756 ControlLogix I/O
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

Potential Security Vulnerabilities

Rockwell Automation has identified three potential security vulnerabilities related to the web interface of the 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Specifically, the risks include the following:

  • The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.

  • An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

  • The potential for web redirection, which could allow the Product to be used in a social engineering attack.

  • An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

  • The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.

Risk Mitigation

None of these issues results in the Product’s web pages or other Product functions being compromised or otherwise affected.

These potential security vulnerabilities are corrected in:

  • 1756-ENBT Version 4.008

  • 1756-EWEB Version 4.009

The best way to mitigate the risk associated with these issues is to employ the following in the design of network architecture:

  • Layered security.

  • Defense-in-depth methods.

Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Additionally, to help mitigate the risk associated with the cross-site scripting potential vulnerability, certain web browsers and/or browser add-ons can be used. Internet Explorer Version 8 (which is currently in beta release) has cross-site scripting protection built-in. Additionally, the NoScript add-on for the FireFox browser can help prevent cross-site scripting attacks.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security/.

REFERENCES

http://www.kb.cert.org/vuls/id/124059

http://www.kb.cert.org/vuls/id/619499

http://www.kb.cert.org/vuls/id/882619

Industry Advisory - CIP: Rockwell Automation ControlLogix 1756-ENBT/A WebServer Vulnerabilities

KCS Status

Released

Medium
PN402 | PN402 | ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
ControlLogix 1756-ENBT/A Ethernet/IP Bridge
CVSS Scores:
5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability

Description

Rockwell Automation has identified a potential security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Details of this potential vulnerability are as follows:

  • The potential for an unauthorized replacement of Rockwell Automation Product firmware with a corrupted firmware image that may render the Product inoperable and/or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product and other components dependent on the Product. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to Industrial Network Architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
  2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these short-term mitigation strategies, Rockwell Automation continues our investigation and evaluation of other long-term mitigation strategies that include, but are not limited to:

  1. Product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
  2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at https://www.rockwellautomation.com/global/capabilities/industrial-security/overview.page.

KCS Status

Released

Critical
PN560 | PN560 | Password Security Vulnerability in MicroLogix™ Controllers
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
MicroLogix Controllers
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Password Security Vulnerability in MicroLogix™ Controllers

Description

Password Security Vulnerability in MicroLogix™ Controllers

Issue date December 18, 2009. Updated September 27, 2011.

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Vulnerability Details:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept and decipher the Product’s password and potentially make unauthorized changes to the Product’s operation.

--- Update begins here ---

Vulnerability Mitigation

The password mechanism used between RSLogix 500 software and MicroLogix controllers (1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx) has been enhanced to mitigate risks relating to this specific vulnerability. Concerned customers are encouraged to upgrade RSLogix 500 software to version 8.4 or greater.

--- Update ends here ---

In addition to the recommended software upgrade, Rockwell Automation recommends customers take additional steps as outlined below to further reduce associated security risk from this vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too (Note: when possible, multiple strategies should be employed simultaneously):

  1. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  1. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
  1. Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.

Rockwell Automation remains committed to making additional security enhancements to our products and systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN567 | PN567 | Client Software Authentication Security Vulnerability in PLC5® and SLC™ 5/0x Controllers
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
1747-L5x, 1785-Lx
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

Issued February 2, 2010. Updated March 3, 2010 - Version 1.2

Updated March 19, 2013 (see below)

Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.

Details of this potential vulnerability to the affected Product are as follows:

The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept communications between a Product and an authorized software client to gain access to the Product and interrupt its intended operation.

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:

a. The 1747-L5x firmware should be OS Series C FRN 10, or higher.

b. 1785-Lx processor firmware should be at or above the following (refer to included table):

Catalog Number

Series A

Series B

Series C

Series D

Series E

Series F

Enhanced

Revision

Revision

Revision

Revision

Revision

Revision

1785-L11B

R.2

U.2

L.2

K.2

1785-L20B

R.2

U.2

L.2

K.2

1785-L30B

S.2

U.2

L.2

K.2

1785-L40B

S.2

U.2

L.2

K.2

1785-L40L

S.2

U.2

L.2

K.2

1785-L60B

S.2

U.2

L.2

K.2

1785-L60L

S.2

U.2

L.2

K.2

1785-L80B

U.2

L.2

K.2

Protected

Revision

Revision

Revision

Revision

Revision

Revision

1785-L26B

R.2

U.2

L.2

K.2

1785-L46B

S.2

U.2

L.2

K.2

1785-L46L

S.2

U.2

1785-L86B

U.2

L.2

K.2

Ethernet

Revision

Revision

Revision

Revision

Revision

Revision

1785-L20E

U.2

L.2

K.2

A.2

1785-L40E

U.2

L.2

K.2

A.2

1785-L80E

U.2

L.2

K.2

A.2

ControlNet

Revision

Revision

Revision

Revision

Revision

Revision

1785-L20C15

U.2

L.2

K.2

E.2

1785-L40C15

U.2

L.2

K.2

E.2

1785-L46C15

K.2

E.2

1785-L60C15

L.2

1785-L80C15

L.2

K.2

E.2


2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.

3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.

4. For PLC5 controllers, enable and configure "Passwords and Privileges" to restrict access to critical data and improve password security.

5. For SLC controllers, enable static protection via RSLogix 500 on all critical data table files to prevent any remote data changes to critical data.

<START UPDATE>

Added: 19 Mar 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

<END UPDATE>

6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

7. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

8. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN676 | PN676 | FactoryTalk RnaUtility.dll Vulnerability
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk RnaUtility.dll Vulnerability

Description

Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability

Updated October 5, 2011

This advisory is a replacement and update to AID#: 456065

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.

We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.

Affected Products:

Product Description

Affected Versions

RSLogix 5000 software

Versions V17, V18 and V19

All FactoryTalk-branded software

CPR9 and CPR9-SR1 through SR4


Vulnerability Details and Impacts:

The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.

The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.

There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.

Vulnerability Mitigation:

A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:

Recommended
Mitigation

Product Description

Current Version

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4

Apply patch roll-up:

AID#458689

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689

RSLogix 5000

V17, V18, V19

NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.

Other Mitigation Techniques:

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.

Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/

Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527

In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

1330

1331

1332

4241

4242

4445

4446

5241

6543

9111

60093

49281

4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.

5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Critical
PN889 | PN889 | FT Historian SE OSIsoft PI Data Archive Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
FactoryTalk Historian SE
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FT Historian SE OSIsoft PI Data Archive Vulnerabilities

Description

October 1st, 2015 - Version 1.0

On August 13th 2015, the Rockwell Automation Security Taskforce became aware of an advisory published by ICS-CERT (ICSA-15-225-01), which stated that OSIsoft disclosed and resolved 56 security vulnerabilities in their PI Server 2015 release. In addition to PI Server 2015, OSIsoft has also released PI Server 2012 SP1, which includes a subset of the vulnerabilities fixed in the 2015 version. OSIsoft is strongly recommending that users upgrade to the PI Server 2015 release.

FactoryTalk Historian SE includes the OSI PI Server 2012 product, including the PI Data Archive component, in the standard product image. As part of this process, Rockwell Automation has investigated the reported vulnerabilities, and has concluded that FT Historian SE customers are likely vulnerable to these same set of vulnerabilities as the PI Server product. At the time of publication, no known public exploits exist at this time for these vulnerabilities.

Details relating to these vulnerabilities, the known affected platforms and recommended mitigations are contained herein.

AFFECTED PRODUCTS

  • FactoryTalk Historian SE (9518-HSEx), Versions 2.00.00, 2.10.00, 2.20.00, 3.01.00 and 4.00.00

Rockwell Automation is continuing to investigate these vulnerabilities and is actively determining future plans to address them, including incorporating the updated OSI PI Server into FactoryTalk Historian Server. This advisory will be updated when these plans are determined, as well as when updated software is available for customers to upgrade their systems. We recommend that customers apply the mitigations detailed below and subscribe to this article to receive the abovementioned notifications when updated.

VULNERABILITY DETAILS

According to both the ICS-CERT and OSIsoft disclosures, a portion of highest-severity vulnerabilities may allow a remote code injection by an attacker who sends a specially crafted sequence of packets to the PI Server contained in FT Historian SE.

To be successful, the attacker must have network connectivity to reach the server running FT Historian SE and be able to access port 5450 on that system. A successful exploit would allow an attacker to gain full privileges on the Windows system. With this level of access, an attacker could tamper with the system or product binaries, read and write arbitrary data, and/or tamper with user accounts on the system.

According to these disclosures, these vulnerabilities can also be used to create a Denial-of-Service (DoS) condition on the target server, rendering the FT Historian SE server unavailable to the automation system, and potentially cause either loss or corruption of the PI Server data.

RISK MITIGATIONS

  • Limit access to PI Server Port 5450, which reduces exposure to the highest-rated vulnerabilities.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

ADDITIONAL LINKS

KCS Status

Released

Critical
PN893 | PN893 | MicroLogix 1100 and 1400 Controller Vulnerabilities
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2015-6492, CVE-2015-6491, CVE-2015-6490, CVE-2015-6486, CVE-2015-6488
Products:
MicroLogix 1100 and 1400 controller
CVSS Scores:
7.5, 3.7, 9.8, 4.6, 4.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1100 and 1400 Controller Vulnerabilities

Description

Version 2.0 - December 8th 2015 (Original Release: October 27th 2015)

From June through October 2015, Rockwell Automation was notified of security vulnerabilities discovered in the Allen-Bradley MicroLogix 1100 and/or MicroLogix 1400 product families. One of these notifications was the security vulnerability (KB731427) previously disclosed during DEFCON 23 in August 2015.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has reproduced all of these vulnerabilities in both the MicroLogix 1100 and MicroLogix 1400 product families. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to these vulnerabilities, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.003 and earlier.
  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

This vulnerability applies to both the MicroLogix 1100 and MicroLogix 1400 platforms. However, at this time a fix is only available for the MicroLogix 1100 product family. A future product update for the MicroLogix 1400 will be available in the November 2015 timeframe, and will include this vulnerability fix. Rockwell Automation will update this advisory at the time of the release.

03-DEC-2015 UPDATE: Version 15.004 is now available for the MicroLogix 1400 product. See below for more details.

CVE-2015-6490 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability #2: Product Denial of Service

A Denial of Service ("DoS") condition may result on the MicroLogix 1100/1400 when an affected product receives a specific malicious web request, which would require user action to power cycle the product and restore it to a working state. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability. The impact to the user’s automation system would be highly dependent on the mitigations that the user may already employ.

CVE-2015-6492 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability #3: Remote File Inclusion

A Remote File Inclusion condition may result on the MicroLogix 1100/1400 when an attacker crafts a malicious link, using the built-in feature to "redirect" outside web content into the product’s web page frame. This outside web content could contain malicious content that would target the unsuspecting user’s web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

This vulnerability was first disclosed in publication KB731427 and ICS-ALERT-15-225-02A in August 2015.

CVE-2015-6491 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability #4: Stored Cross-site Scripting ("XSS")

Ilya Karpov of Positive Technologies identified a XSS vulnerability in both the MicroLogix 1100/1400. This vulnerability may allow an attacker to execute requests inject and store Javascript in the product’s web server, which would be executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset is required to remove the stored Javascript.

CVE-2015-6488 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

Vulnerability #5: Privilege Escalation through Structured Query Language ("SQL") Injection

Ilya Karpov of Positive Technologies has identified a Privilege Escalation vulnerability in the MicroLogix 1100/1400. Privilege Escalation may result when an attacker tricks an authorized user (through social engineering/phishing) to click on a specific and malicious link, which allows the attacker to create or escalate the privileges of an existing user to the administrative level. An authorized administrator is required to undo the changes made after the attack.

CVE-2015-6486 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)

For additional information on CVSS v3 metrics, vectors, and scores, please see the First’s Common Vulnerability Scoring System Version 3.0.

RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

  1. Update supported products based on this table:

    Product Family Catalog Numbers Hardware Series Vulnerabilities Fixed Suggested Actions
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series B 1, 2, 3, 4, and 5

    - Apply FRN 15.000 (Downloads)

    - Apply the additional mitigations described below
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD
    		 Series A None - Apply the mitigations described below
    MicroLogix 1400 1766-L32AWA
    1766-L32AWAA
    1766-L32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA
    		 Series B 1, 2, 3, 4, and 5.

    - Apply FRN 15.004(Downloads)

    - Apply the additional mitigations described below
    MicroLogix 1400 1766-L32AWA
    1766-L32AWAA
    1766-LK32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA
    		 Series A None - Apply the mitigations described below

  2. Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB732398 for detailed instructions on disabling the web server for each controller platform.
  3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
  4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

PN900 | PN900 | Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2010-2568
Products:
RSLinx Classic (Single Node
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Description

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Released: 21 July 2010 Updated: 10 August 2010

Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.

Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.

Background

A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.

Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.

Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.

Vulnerability Description

The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.

The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:

What causes the vulnerability?

When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

IMMEDIATE RECOMMENDATIONS

Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:

MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.

NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.

DHS/ICS-CERT recommends concerned users immediately implement the following measures:

Mitigations

  • Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
  • Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.

  • ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.

NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.

DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."

www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf

Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:

www.us-cert.gov/cas/tips/ST08-001.html

ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:

Mitigations

  1. Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.

    NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.

    Go to RAid:35530 for more specific information regarding the qualification of this patch.
  2. Restrict control system access to only those authorized to work with these systems.
  3. Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
  4. Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
  5. Where practical, disable all unused USB ports on control system PCs.
  6. Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
  7. Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
  8. Purchase USB drives from trusted sources.
  9. Only use USB drives manufactured by a trusted vendor
  10. Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
  11. Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
  12. Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.

NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.

As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.

KCS Status

Released

PN907 | PN907 | SCADAPass Default Passwords
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
2711P PanelView Plus 6 Logic Modules, POINT I/O Communication Interfaces, 2711P PanelView Plus 6 400-1500
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

SCADAPass Default Passwords

Description

Version 1.0 – January 11th 2016

In January 2016, SCADA Strange Love, an independent group of information security researchers, included several Rockwell Automation products in a project they published called SCADAPass.

SCADAPass contains a list of default passwords in popular industrial control systems ("ICS") and supervisory control and data acquisition ("SCADA") products, including programmable logic controllers ("PLCs") and human-machine interfaces ("HMIs"). Default credentials may be used by an attacker to gain privileged access to remotely accessible assets if a user does not take explicit action to change the default user credentials.

As part of this process, Rockwell Automation evaluated the included products in SCADAPass, and determined that all of the products’ default passwords are changeable by the user. Directions on how to change these passwords are found in the respective product manuals, which can be found in the table below.

INCLUDED PRODUCTS

  • 1756-EN2TSC
  • 1756-EWEB
  • 1734-AENT
  • MicroLogix 1400
  • MicroLogix 1100
  • PanelView Plus 6

RISK MITIGATIONS

  1. Rockwell Automation strongly recommends that asset owners evaluate the passwords used in their production assets, and apply the following suggested mitigations which are applicable:

    Product

    Product Manual
    1756-EN2TSC http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf
    1756-EWEB http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um527_-en-p.pdf
    1734-AENT http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um011_-en-p.pdf
    MicroLogix 1100 http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um002_-en-p.pdf
    MicroLogix 1400 http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um002_-en-p.pdf
    PanelView Plus 6 http://www.manualsdir.com/manuals/580848/rockwell-automation-2711p-xxxx-panelview-plus-6-terminals-user-manual.html?page=54
  2. Establish and enforce password policies for maximum age of passwords, minimum password length, minimum password complexity, and password re-use.
  3. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  4. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  6. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  7. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  8. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

Critical
PN910 | PN910 | MicroLogix 1100 Web Server Buffer Overflow
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-0868
Products:
MicroLogix 1100 Web Server Buffer Overflow
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1100 Web Server Buffer Overflow

Description

Version 1.0 – January 26th 2016

In December 2015, Rockwell Automation was notified by ICS-CERT of a Buffer Overflow security vulnerability discovered in the web server of the Allen-Bradley MicroLogix 1100 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified this discovery and released revised product firmware to address associated risk. ICS-CERT published an advisory (ICSA-16-026-02) to cover this vulnerability.

Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 15.000 and earlier.

VULNERABILITY DETAILS

Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a request from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

CVE-2016-0868 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

  1. Update supported products based on this table:
    Product Family Catalog Numbers Hardware Series Suggested Actions
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series B

    - Apply FRN 15.002
    (Downloads)

    - Apply the additional
    mitigations described below
    1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series A - Apply the additional
    mitigations described below
  2. Disable the web server on the MicroLogix 1100, as it is enabled by default. See KB 732398 for detailed instructions on disabling the web server for each controller platform.
  3. Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
  4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  9. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

KCS Status

Released

Medium
PN915 | PN915 | Integrated Architecture Builder (IAB) Access Violation
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-2277
Products:
Integrated Architecture Builder (IAB)
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Integrated Architecture Builder (IAB) Access Violation

Description

Version 1.0 – February 24th 2016

A vulnerability has been discovered by Ivan Javier Sanchez of Nullcode Team in the Integrated Architecture Builder (IAB) tool. This tool is used by our customers to configure their Logix-based automation systems, select hardware, and generate bills of material for applications including controllers, I/O, networks, drives, cabling & wiring, motion control, and other devices.

The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the IAB tool. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’s discoveries and a new software release has been issued for Integrated Architecture Builder which addresses the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

  • Integrated Architecture Builder, Versions 9.6.0.7 and earlier
  • Integrated Architecture Builder, Versions 9.7.0.0 and 9.7.0.1

VULNERABILITY DETAILS

IAB has a capability to open an existing project file containing a control system hardware definition so that the user can create a validated bill of material. The discovered vulnerability is within the IAB.exe code that parses this project file content. In certain cases where a uniquely crafted or altered file is used, the IAB.exe parser code execution can allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace project files with specifically created or modified project files that have been constructed to use this condition to successfully execute malicious code.

Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CVE-2016-2277 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the Integrated Architecture Builder are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  • Do not open untrusted project files with IAB.exe.
  • Upgrade Integrated Architecture Builder V9.6.0.7 and earlier to either V9.7.0.2+ or V9.6.0.8+ (available now) using Current Program Updater. Current Program Updater is a program that is installed on your computer when you install Integrated Architecture Builder. The User Guide to Current Program Updater is built into the application should you need additional information.Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN928 | PN928 | PowerFlex 7000 Writeable Parameters
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
PowerFlex 7000 Writeable Parameters
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

PowerFlex 7000 Writeable Parameters

Description

PowerFlex 7000 Writeable Parameters

Version 1.0 - June 6th, 2016

This advisory is intended to raise awareness to control system owners and operators of PowerFlex 7000 medium voltage drives. A January 2016 presentation at the S4 ICS Security Conference highlighted a potential weakness in Variable Frequency Drives that allows unauthorized users to change configuration parameters in these devices. The presentation highlighted products from four vendors including Rockwell Automation. This presentation spawned several news articles, including one entitled "An Easy Way for Hackers to Remotely Burn Industrial Motors" from WIRED Magazine. This article reminds us that cybersecurity threats are present and not always easy to anticipate. Unfortunately, neither the article’s author, Kim Zetter, nor her source, Reid Wightman, have contacted Rockwell Automation at the time of writing with any specific information -- so we can only try to guess how their statements apply to our drives.

This article implies that all the drives they reference can be easily accessed and provide an easy means to change parameters, that could result in motor damage. It overlooks many self-monitoring features that are built into modern drives to prevent changes to parameters while the drive is running, detecting improper operation and monitoring external sensors for equipment, such as motors that are exceeding design parameters.

Variable frequency drives, by their nature, are designed to support a wide variety of applications and it is possible that the improper setting of a parameter or parameters can create application issues. Rockwell Automation is aware of this and constantly looks for ways to eliminate these situations or, where the possibility is created by a customer need, alert the user to the problem with a fault or error message before it causes potential damage.

RISK MITIGATIONS

Below are recommended mitigations and resources to help protect your deployed Rockwell Automation products, including variable frequency drives. We strongly recommend that you evaluate your current products and environment, and apply the following mitigations where applicable.

  1. Review and employ the recommendations in the Converged Plantwide Ethernet Design and Installation Guide (DIG). It contains important information relating to proper network design practices, including aspects of security capabilities available through the network infrastructure.
  2. Consider using Rockwell Automation’s FactoryTalk AssetCentre. Version 6.0 offers compatibility with drives. AssetCentre can be configured to automatically backup your configuration, and compare it to a known good version, and log any changes into FactoryTalk Audit.
  3. Use trusted software, software patches, and anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  4. Employ training and awareness programs to educate users of the warning signs of a phishing or social engineering attack.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that Internet access is carefully evaluated, protected, and controlled.
  6. Locate control system networks and devices behind firewalls, and use proper techniques to isolate them from the business network.
  7. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  8. Subscribe to Rockwell Automation’s Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to the most up-to-date information about security matters that affect Rockwell Automation products.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN937 | PN937 | MicroLogix™ 1400 SNMP Credentials
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
CVE IDs:
CVE-2016-5645
Products:
MicroLogix 1400 SNMP Credentials
CVSS Scores:
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

Version 1.0 - AUG-11-2016

In June 2016, Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group, reported to Rockwell Automation that an undocumented and privileged Simple Network Management Protocol ("SNMP") community string exists in the MicroLogix™ 1400 Programmable Logic Controller ("PLC") product. Knowledge of the undocumented community string may allow an attacker to make unauthorized changes to the product’s configuration, including firmware updates.

Rockwell Automation has evaluated the report and confirmed the existence of the undocumented community string in the MicroLogix 1400. We have further investigated and discovered that one of the SNMP community strings is hardcoded and cannot be changed by the user. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are also provided below.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, all versions.

VULNERABILITY DETAILS

SNMP is a standard protocol employed by many types of internet protocol ("IP") based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product..

By default, the MicroLogix 1400 enables SNMP and has these community strings in the product:

  • "public": allows read-only access.
  • "private": allows read-write access; is hardcoded; and is used by ControlFlash for firmware updates.
  • "wheel": allows read-write access and was previously undocumented for this product

Due to the nature of this product’s firmware update process, this capability cannot be removed from the product. Instead, mitigations are offered to reduce risk of this capability being used by a malicious actor..

CVE-2016-5645 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the MicroLogix 1400 are strongly encouraged to evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously.

  • Utilize the product’s "RUN" key switch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP.
    • Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
    • Note: Changing the SNMP community strings is not an effective mitigation.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

High
PN978 | PN978 | PanelView Plus 6 700-1500 (7-15 displays) with Open Test Port
Published Date:
February 11, 2020
Last Updated:
February 11, 2020
Products:
2711P PanelView Plus 6 Logic Modules, 2711P PanelView Plus 6 400-1500
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

PanelView Plus 6 700-1500 (7"-15" displays) with Open Test Port

Description

Version 1.0 - MAY 19, 2017

A vulnerability has been identified in select PanelView™ Plus 6 700-1500 (7" - 15" displays) graphic terminal products. The identified versions ship with an open test port that, if successfully exploited via Telnet, can allow a remote attacker to connect to a host device and cause changes as if the device were in a testing environment.

PanelView Plus 6 700-1500 (7" - 15" displays) graphic terminal products allow customers to monitor, control, and display the status of their application graphically within their system. These products are used across several industries, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the relevant mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Any graphic terminals that are using OS 2.31 or greater are not affected by this vulnerability. The OS version can be found in the release notes for firmware.

Only firmware versions listed below are affected by this vulnerability. For information on how to identify the installed firmware version on your terminal, please see the following link: https://www.youtube.com/watch?v=nLPnBpMXqEs&t=9s

PanelView Plus 6 700-1500 (7" - 15" displays) Graphic Terminals and Logic Modules with the following firmware versions installed:
6.00.04
6.00.05
6.00.42
6.00-20140306
6.10.20121012
6.10-20140122
7.00-20121012
7.00-20130108
7.00-20130325
7.00-20130619
7.00-20140128
7.00-20140310
7.00-20140429
7.00-20140621
7.00-20140729
7.00-20141022
8.00-20140730
8.00-20141023

VULNERABILITY DETAILS
A remote, unauthenticated user could connect to a PanelView Plus 6 700-1500 (7" - 15" display) device by establishing a Telnet session with the panel. If a connection is made, the malicious user can get access to the test interface of the PanelView Plus 6 700-1500 (7" - 15" display) graphic terminal, allowing the attacker to potentially make disruptive changes and/or extract information from the device.

Rockwell Automation has evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected terminals are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Type of Device

Product Family

Suggested Actions

Graphic Terminals and Logic Modules

PanelView Plus 6 700-1500 (7"-15")

-V7.00: Apply V7.00-20150209
-V8.00: Apply V8.00-20160418
-V8.10: Apply V8.10-20151026 or later
-V8.20: Apply V8.20-20160308 or later
-V9.00: Apply V9.00-20170328 or later
(Downloads)

-Alternatively, disable TestMon on your device. For more information, visit KnowledgeBase Article 1046760

GENERAL SECURITY GUIDELINES

1. Block all traffic to EtherNet/IP™ devices or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

2. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

3. Locate control system networks and devices behind firewalls, and isolate them from the rest of the business network.

4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices where they are used.

5. When downloading updates, make sure the site or source of the update can be trusted.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: mailto:Secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index

Industrial Firewalls within a CPwE Architecture

Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

KCS Status

Released

Critical
PN1059 | PN1059 | Vulnerabilities Discovered in PowerMonitor 1000 Monitor
Published Date:
August 26, 2019
Last Updated:
August 26, 2019
CVE IDs:
CVE-2018-19615, CVE-2018-19616
Products:
1408 PowerMonitor 1000
CVSS Scores:
9.1, 7.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Vulnerabilities Discovered in PowerMonitor 1000 Monitor

Description

Version 1.2 – August 26, 2019
Version 1.1 – February 28, 2019
Version 1.0 – February 13, 2019

Rockwell Automation® Product Security Incident Response Team ("RA PSIRT") was made aware of two vulnerabilities logged in the National Vulnerability Database ("NVD") regarding the Allen-Bradley PowerMonitor™ 1000 monitors. The public disclosure includes details which can allow for potential reproduction and exploitation of these vulnerabilities.

PowerMonitor products are energy metering devices that integrate with existing energy monitoring systems to provide load profiling, cost allocation, and/or energy control information for customers’ systems.

UPDATE v1.2 - Rockwell Automation has released a remediation that addresses both vulnerabilities. Please see the Risk Mitigations and Recommended User Actions section for additional details.

Customers using this product are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional security guidelines are provided in the Risk Mitigations and Recommended User Actions sections below.

AFFECTED PRODUCTS

  • PowerMonitor 1000 Monitors, All Versions prior to v4.019.

VULNERABILITY DETAILS

Vulnerability #1: Cross-Site Scripting

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to inject arbitrary code into a targeted user’s web browser. The impact to the user is highly dependent on both the content of the exploit developed by the threat actor as well as the mitigations that the user may already employ in their system. The target of this type of attack is not the device itself; instead, it is used as a vehicle to deliver an attack to the web browser.

CVE-2018-19615 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.4/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H.

Vulnerability #2: Authentication Bypass

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to use a proxy to enable certain functionality that is typically available to those with administrative rights for the web application. Upon successful exploitation, a threat actor could potentially disrupt user settings and device configuration.

CVE-2018-19616 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed. RA PSIRT is monitoring the situation and will provide specific remediation information when available.

Customers are directed to the general risk mitigation strategies provided below, and are encouraged when possible, to employ multiple strategies simultaneously.

Vulnerability Catalog Numbers Suggested Actions
#1: Cross Site Scripting 1408-BC3A-ENT
1408-EM3A-ENT
1408-TS3A-ENT
  • Apply FRN 4.019 or later (Download)
  • CheckPoint Software Technologies has released intrusion prevention system ("IPS") rules that detect attempts to exploit this vulnerability. For details about these IPS rules, please see CheckPoint Advisory CPAI-201-0001.
  • Users can disable the File Transfer Protocol ("FTP") port using the LCD Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page.
  • Users can disable access to the Web Page using the LCD screen Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page
  • See general mitigations below
#2: Authentication Bypass 1408-BC3A-ENT
1408-EM3A-ENT
1408-TS3A-ENT
  • Apply FRN 4.019 or later (Download)
  • Users can disable the File Transfer Protocol ("FTP") port using the LCD Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page.
  • Users can disable access to the Web Page using the LCD screen Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page.
  • See general mitigations below.

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure access for unauthorized sources are blocked.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • When remote access is required, use secure methods, such as virtual private networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
26-August-2019 1.2 Firmware Revision 4.019 released, addresses vulnerabilities
28-February-2019 1.1 Updated with ICS-CERT links, corrected typos, added security mitigations
13-February-2019 1.0 Initial Release
Attachments

KCS Status

Released

High
PN1081 | PN1081 | Ability to gain root-user level access to PanelView 5510 Graphic Terminals
Published Date:
August 02, 2019
Last Updated:
August 02, 2019
CVE IDs:
CVE-2019-10970
Products:
PanelView 5510
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Ability to gain root-user level access to PanelView 5510 Graphic Terminals

Description

Version 1.1 - August 2, 2019

Version 1.0 - July 9, 2019

Several customers contacted Remote Support about an issue with their PanelView™ 5510 graphic terminals that, upon further investigation, could expose a potential vulnerability in the terminal. If successfully exploited, this vulnerability may allow a threat actor to gain access to the file system on the terminal.

PanelView 5510 terminals are operator interface devices that monitor and control devices that are attached to certain Rockwell Automation® Programmable Automation Controllers via EtherNet/IP™. These products are used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware in their product are encouraged to evaluate and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

PanelView 5510 Graphic Terminals

  • All Versions manufactured before 2019/03/13 which have never been updated to V4.003, V5.002, or later.

VULNERABILITY DETAILS

A race condition exists in the boot process of the PanelView 5510 Graphic Display which in rare occasions results in a state that allows root-level access to the device’s file system. If VNC is enabled on the device, then a remote authenticated threat actor could leverage the vulnerability to gain root- level access to the device.

CVE-2019-10970 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using PanelView 5510 with manufacturing dates prior to 2019/03/13 are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update should disable the VNC server on the device. In addition, if possible, customers should remove peripherals such as keyboards and limit arbitrarily power cycling of the product. Additionally, customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines.

Product Family Actions Notes
PanelView 5510 using v4 Apply v4.003 or later Download
PanelView 5510 using v5 Apply v5.002 or later Download


GENERAL SECURITY GUIDELINES

  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS


REVISION HISTORY

Date Version Details
09-July-2019 1.0 Initial Release
02-August-2019 1.1 Clarified Vulnerability Details and Risk Mitigation details
Attachments

KCS Status

Released

Critical
PN1072 | PN1072 | Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)
Published Date:
May 20, 2019
Last Updated:
May 20, 2019
CVE IDs:
CVE-2019-0708
Products:
Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, E-Plan, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, RSPower, Entek, Knowledge Documentation, RSLogix Emulate 5, PBase, Build Utility, FactoryTalk Services Platform, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, RSMACC, FactoryTalk VantagePoint EMI, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, Logix Emulate, ComplianceTrack, RSBizWare Scheduler, RSTools, Portlets, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, ERP Integration Gateway, ETL, Historical Transfer, ECO, Activities, RSTestStand, RSWorkbench, RS PMX CTM, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, DataSite Workbench, Logix Designer, Thin Client, FactoryTalk Integrator, FactoryTalk Network Manager, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), API, AI-100/150, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, PlantMetrics, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, Authentication
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)

Description

Version 1.0 – May 20, 2019

On May 14, 2019, Microsoft disclosed the existence of, and released the relevant patches for, a critical security vulnerability in relation to the Remote Desktop (RDP) functionality in Windows desktop and server operating systems. According to Microsoft’s disclosures, this vulnerability impacts older versions of Windows products up to Windows 7 and Windows Server 2008. Microsoft has also stated that it has not observed any evidence of attacks against this vulnerability, but that its presence poses a very serious threat that could expose users of the Remote Desktop functionality, including Rockwell Automation customers, to the potential of a rapidly spreading malware attack.

At this time, Rockwell Automation has not identified any products susceptible to this vulnerability. If any products are identified that could be potentially impacted, we will notify our customers with a post to KnowledgeBase, as appropriate.

Customers using affected versions of Windows operating systems are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations. Additional details relating to the Windows vulnerability, including affected products and recommended countermeasures, are provided herein.

VULNERABILITY DETAILS AND AFFECTED PRODUCTS

Customers should reference the Microsoft publication for details and list of affected products: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708.

RECOMMENDED USER ACTIONS

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and vulnerability management program.

Customers using the affected operating systems are encouraged to evaluate and apply the Microsoft-provided patches at the earliest possible time. Rockwell Automation provides preliminary qualification for supported Microsoft operating systems. Customers can find the status of Rockwell Automation’s test results at any time by referencing its Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/qualifications.htm.

Customers who are unable to update should consider the alternative mitigations provided by Microsoft. Always refer to the Microsoft advisory for the most recent recommendations.

  • Disable the RDP service.
    • Consider impact of blocking the RDP service on critical hosts and be prepared to execute this if the need arises.
  • Restrict RDP Traffic from untrusted networks (especially from external sources) if possible via a perimeter-based control such as firewall or IPS.
    • Ports TCP/3389.
    • Consider the impact of critical processes that require personnel to RDP into hosts before taking this action.
  • Establish and execute a proper backup and disaster recovery plan for their organization’s assets.

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
  • Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to its Product Security Incident Response FAQ document.

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to its systems in the future. For more information and for assistance with assessing the state of security of their existing control system, including improving their system-level security when using Rockwell Automation and other vendor controls products, customers can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
20-MAY-2019 1.0 Initial release
15-AUG-2019 1.1 Update to title
Attachments

KCS Status

Released - Edited

Critical
PN950 | PN950 | Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability
Published Date:
May 13, 2019
Last Updated:
May 13, 2019
CVE IDs:
CVE-2016-9343
Products:
SoftLogix5800, RSLogix Emulate 5000 / Studio 5000 Logix Emulate
CVSS Scores:
10.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Description

Version 1.5 - May 13, 2019

A vulnerability exists in the Logix5000™ Programmable Automation Controller product line that, if successfully exploited, can either cause a Denial of Service ("DoS") or potentially allow an attacker to alter the operating state of the controller through a buffer overflow. Logix5000 is a product line of Programmable Automation Controllers used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; as well as automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting evaluations to help achieve completeness in its risk assessment and mitigation processes.

As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply those mitigations that they deem applicable to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: Aug 21, 2018
New remediated firmware versions for the PowerFlex 700S drives with Phase II control with the embedded DriveLogix 5730 controller option installed have been released. See below for details.

AFFECTED PRODUCTS

UPDATE: Feb 13, 2017
Further internal investigation discovered that the DriveLogix™ platform is also affected by this vulnerability. DriveLogix is an embedded, high-performance Logix engine as a part of a PowerFlex® 700S drive solution, specifically for the PowerFlex 700S Drives with Phase II Control. Affected versions of DriveLogix, as well as mitigations to deploy for affected customers, are provided as below.

The affected firmware versions are listed, followed by a list of the products that utilize the affected firmware.

Note: Firmware versions (for all products) prior to Firmware Revision Number ("FRN ") 16.00 are not affected by this vulnerability.

  • FRN 16.00
    • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (V16.020 through V16.022)
    • ControlLogix® 5560 controllers (V16.020 thru V16.022)
    • ControlLogix L55 controllers (V16.020 thru V16.022)
    • ControlLogix 5560 Redundant controllers (All Versions)
    • GuardLogix® 5560 controllers (All Versions)
    • FlexLogix™ L34 controllers (All Versions)
    • 1769 CompactLogix™ L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (V16.020 thru V16.023)
    • 1768 CompactLogix L4x controllers (V16.020 thru V16.025)
  • FRN 17.00
    • 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (v17.003 and v17.004)
    • SoftLogix™ 5800 controllers (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
  • FRN 18.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix™ Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
    • 1768 Compact GuardLogix L4xS (All Versions)
  • FRN 19.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • ControlLogix 5560 Redundant controllers (All Versions)
    • GuardLogix 5560 controllers (All Versions)
    • 1769 CompactLogix L23x controllers (All Versions)
    • 1769 CompactLogix L3x controllers (All Versions)
    • 1768 CompactLogix L4x controllers (All Versions)
    • 1768 Compact GuardLogix® L4xS controllers (All Versions)
  • FRN 20.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5560 controllers (V20.010 thru V20.013)
    • ControlLogix 5570 controllers (V20.010 thru V20.013)
    • ControlLogix 5560 Redundant controllers (V20.050 thru V20.055)
    • ControlLogix 5570 Redundant controllers (V20.050 thru V20.055)
    • GuardLogix 5560 controllers (V20.010 thru V20.017)
    • GuardLogix 5570 controllers (V20.010 thru V20.017)
    • 1769 CompactLogix L23x controllers (V20.010 thru V20.013)
    • 1769 CompactLogix L3x controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L1 controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L2 controllers (V20.010 thru V20.013)
    • 1769 CompactLogix 5370 L3 controllers (V20.010 thru V20.013)
    • 1768 CompactLogix L4x controllers (V20.011 thru V20.016)
    • 1768 Compact GuardLogix L4xS controllers (V20.011 thru V20.013)
  • FRN 21.00
    • SoftLogix 5800 controllers (All Versions)
    • RSLogix Emulate 5000 (All Versions)
    • ControlLogix 5570 controllers (All Versions)
    • ControlLogix 5570 Redundant controllers (All Versions)
    • GuardLogix 5570 controllers (All Versions)
    • 1769 CompactLogix 5370 L1 controllers (All Versions)
    • 1769 CompactLogix 5370 L2 controllers (All Versions)
    • 1769 CompactLogix 5370 L3 controllers (All Versions)

The products above are affected in the corresponding versions of firmware. Check the Updates/Risk Mitigations section below to verify that all functional versions of firmware include the latest security updates for this vulnerability in the event one of the aforementioned products is being used with a version of firmware that is not listed herein.

VULNERABILITY DETAILS

This vulnerability may allow an attacker to intentionally send a specific malformed Common Industrial Protocol ("CIP") packet to the product and cause a Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service ("DoS") condition. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the attacker to alter the operating state of the controller. This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

CVE-2016-9343 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/.

RISK MITIGATIONS

Customers using affected controllers are encouraged to upgrade to an available firmware version that addresses the associated risk.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below, are similarly recommended. Employ multiple strategies when possible.

  1. Update supported products based on this table:

Type of Controller

Product Family

Catalog Numbers

Remediated Versions

Embedded Controller Option with PowerFlex 700S

DriveLogix 5730

Catalog numbers beginning with 20D with a "K" or "L" in the 17th position

For more information about these catalog numbers, see page 10 of the PowerFlex 700S Drives with Phase II Control Technical Data document

V16.23

V17.05

Soft Controller

SoftLogix 5800

1789-Lx

V23: FRN 23.00 or later

Software (used by ControlLogix)

RSLogix Emulate 5000

9310-Wx

V23: FRN 23.00 or later

Standard Controllers

ControlLogix L55

1756-L55x

V16: FRN 16.023 or later

Standard Controllers

ControlLogix 5560

1756-L6

V16: FRN 16.023 or later

V20: FRN 20.014 or later

Standard Controllers

ControlLogix 5570

1756-L7

V20: FRN 20.014 or later

V23: FRN 23.012 or later

V24 or later

Standard Controllers (Redundant)

ControlLogix 5560

1756-L6

V20: FRN 20.056 or later

Standard Controllers (Redundant)

ControlLogix 5570

1756-L7

V20: FRN 20.056 or later

V24: FRN 24.052 or later

Small Controllers

CompactLogix L23x

CompactLogix L3x

1769-L23, 1769-L31, 1769-L32, 1769-L35

V20: FRN 20.014 or later

Small Controllers

CompactLogix 5370 L1 CompactLogix 5370 L2

CompactLogix 5370 L3

1769-L1, 1769-L2, 1769-L3

V20: FRN 20.014 or later

V23: FRN 23.012 or later

V24 or later

Small Controllers

CompactLogix L4x

1768-L4x

V16: FRN 16.026 (Series A, B, C)

FRN 16.027 or later (Series D)

V20: FRN 20.014 or later (Series A, B, C)

FRN 20.016 or later (Series D)

Safety Controllers

GuardLogix L4xS

1768-L4xS

V20: FRN 20.018 or later

Safety Controllers

GuardLogix 5560

1756-L6S

V20: FRN 20.018 or later

Safety Controllers

GuardLogix 5570

1756-L7S

V20: FRN 20.018 or later

V23: FRN 23.012 or later

V24 or later

Note: Customers using affected versions of FlexLogix, which is a discontinued product, are urged to contact their local distributor or Sales Office in order to upgrade to newer product lines that contain the relevant mitigations.

  1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances.
  2. When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program mode in order to prevent other disruptive changes to your system.
  3. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
  4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date

Version

Details

05-DEC-2016

1.0

Initial release.

16-DEC-2016

1.1

Added details to indicate this is a CIP based packet and added mitigations for CIP networks.

04-JAN-2017

1.2

Clarified CompactLogix L4x and GuardLogix L4xS V20 affected versions, and added remediated GuardLogix L4xS version.

13-FEB-2017

1.3

Added details for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.

21-AUG-2018

1.4

Added remediated versions of Firmware for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.

13-MAY-2019

1.5

Fixed broken links and added RA contact information.
Attachments

KCS Status

Released

High
PN1040 | PN1040 | CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities
Published Date:
April 30, 2019
Last Updated:
April 30, 2019
CVE IDs:
CVE-2019-10952, CVE-2019-10954
Products:
CompactLogix 5370
CVSS Scores:
8.6, 5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - April 30, 2019

Introduction

CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities

Executive Summary

CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities

Detailed Information

Rockwell Automation received two reports about potential vulnerabilities affecting versions of CompactLogix™ 5370 Programmable Automation Controllers. A successful exploitation of one of these potential vulnerabilities could result in a Denial of Service ("DoS") condition to the web portal of the affected device. A successful exploitation of the second vulnerability could potentially result in a DoS to the controller where it enters a major non-recoverable fault ("MNRF"). A MNRF is considered a safe state. Further details about MNRFs can be found in the vulnerability details section.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended security guidelines, are provided herein.

At the time of this writing, the Rockwell Automation® Product Security Incident Response Team ("PSIRT") is unaware of any active exploitation of these potential vulnerabilities.

Affected Products

  • CompactLogix 5370 L1 controllers, versions 20 to 30 and earlier
  • CompactLogix 5370 L2 controllers, versions 20 to 30 and earlier
  • CompactLogix 5370 L3 controllers, versions 20 to 30 and earlier
  • Compact GuardLogix® 5370 controllers, versions 20 to 30 and earlier
  • Armor™ Compact GuardLogix 5370 controllers, versions 20 to 30 and earlier

Vulnerability Details

About Major Non-Recoverable Faults ("MNRFs")
If a MNRF occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into a Major Non-Recoverable Faulted state, which is considered safe. Recovery requires that you download the application program again.

Vulnerability #1: Email Object Stack Overflow Denial of Service
Rockwell Automation received a report describing a vulnerability where a remote, unauthenticated threat actor could send crafted SMTP configuration packets to port 44818 potentially causing a Denial of Service condition, where the controller enters a major non-recoverable faulted state ("MNRF").

CVE-2019-10954 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Web Portal Denial of Service
Younes Dragoni of Nozomi Networks discovered a Denial of Service vulnerability in the web server of CompactLogix 5370 PLCs. By sending specific requests to the web server, a remote, unauthenticated threat actor could potentially force the web server to become unreachable, potentially preventing the user from gaining web access to view live controller data. A reset of the device is required to recover the web server. The control functions of the product are not affected by this vulnerability.

CVE-2019-10952 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Risk Mitigation & User Action

  1. Rockwell Automation strongly recommends that customers use the latest available version of firmware to keep up to date with the latest features, anomaly fixes, and security improvements. Update to a version of firmware as listed below that mitigates the associated risk:
Product Family Actions Notes
CompactLogix 5370 Apply FRN 31.011 or later Download
Compact GuardLogix 5370 Apply FRN 31.011 or later Download
Armor Compact GuardLogix 5370 Apply FRN 31.011 or later; Download
  1. For EtherNet/IP™ based vulnerabilities, block all traffic to from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
    1. Stratix® switch users can use Device Manager or Studio 5000 Logix Designer® software to configure access control lists (ACL) to block/restrict ports. See section "Access Control Lists" in Stratix Managed Switches User Manual, publication 1783-UM007, for detailed instructions.
  2. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SMTP packets from unauthorized sources are blocked.
  3. Consult the product documentation for specific features, such as a hardware key-switch setting, to which may be used to block unauthorized changes, etc.
  4. Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Attachments

High
PN1068 | PN1068 | Open Redirect Vulnerability MicroLogix, CompactLogix 5370 Controllers
Published Date:
April 23, 2019
Last Updated:
April 23, 2019
CVE IDs:
CVE-2019-10955
Products:
Compact Logix 5370, MicroLogix
CVSS Scores:
7.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Open Redirect Vulnerability MicroLogix, CompactLogix 5370 Controllers

Description

Version 1.0 – April 23, 2019

Rockwell Automation received a report from ICS-CERT regarding an open redirect vulnerability in the web server of certain small Programmable Logic Controllers (PLCs) that, if successfully exploited, could allow a threat actor to inject arbitrary web content into the affected device’s web pages. Affected product families include CompactLogix 5370 controllers and MicroLogix controllers.

Customers using affected versions of this firmware are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers

  • Series B, v15.002 and earlier
  • Series A, All Versions

MicroLogix 1100 Controllers

  • v14.00 and earlier

CompactLogix 5370 L1 controllers

  • v30.014 and earlier

CompactLogix 5370 L2 controllers

  • v30.014 and earlier

CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix® controllers)

  • V30.014 and earlier

VULNERABILITY DETAILS

These devices contain a web server that accepts user inputs via web interface. A remote, unauthenticated threat actor could utilize this function in conjunction with a social engineering attack to redirect the user from the affected controller’s web server to a malicious website of the threat actor’s choosing. This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality.

CVE-2019-10955 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and update to the latest available firmware revision that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Product

Catalog Numbers

Suggested Actions

MicroLogix 1400 controllers, Series A

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

MicroLogix 1400 controllers,

Series B

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

MicroLogix 1100 controllers

1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD
  • Apply FRN 15.000 or later (Download)
  • Affected users may disable the web server altogether by unchecking the "HTTP Server Enable" checkbox in the Channel 1 configuration.

CompactLogix 5370 L1 controllers

1769-L16ER-BB1B

1769-L18ER-BB1B

1769-L18ERM-BB1B

1769-L19ER-BB1B

Apply v31.011 or later (Download)

CompactLogix 5370 L2 controllers

1769-L24ER-QB1B

1769-L24ER-QBFC1B

1769-L27ERM-QBFC1B

Apply v31.011 or later (Download)

CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers)

1769-L30ER

1769-L30ER - NSE

1769-L30ERM

1769-L30ERMS

1769-L33ER

1769-L33ERM

1769-L33ERMS

1769-L36ERM

1769-L36ERMS

1769-L37ERMO

1769-L37ERMOS

Apply v31.011 or later (Download)

GENERAL SECURITY GUIDELINES

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  2. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  3. Locate control system networks and devices behind firewalls and isolate them from the business network.
  4. When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Attachments

KCS Status

Released - Edited

Medium
PN1044 | PN1044 | Stratix 5400/5410/5700 Device Reload Vulnerability
Published Date:
April 04, 2019
Last Updated:
April 04, 2019
CVE IDs:
CVE-2018-15377
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5400/5410/5700 Device Reload Vulnerability

Description

Version 1.0 - April 4, 2019

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This publication includes seven security advisories. One of these vulnerabilities affects the four Allen-Bradley® Stratix® and ArmorStratix™ products, which are listed in the Affected Products section below.

AFFECTED PRODUCTS

  • Allen-Bradley Stratix 5400 Industrial Ethernet Switches - all versions PRIOR to 15.2(6)E2a
  • Allen-Bradley Stratix 5410 Industrial Distribution Switches - all versions PRIOR to 15.2(6)E2a
  • Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - all versions PRIOR to 15.2(6)E2a
  • Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - all versions PRIOR to 15.2(6)E2a

VULNERABILITY DETAILS

Software Plug and Play Agent Memory Leak Vulnerability
A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device.

The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the attacker to cause a memory leak on the affected device, which could cause the device to reload.

The product security disclosure from Cisco for their IOS and IOS XE software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak.

CVE-2018-15377 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Family Updates Available
Stratix 5400 Industrial Ethernet Switches Apply FRN 15.2(6)E2a or later (Download)
Stratix 5410 Industrial Distribution Switches Apply FRN 15.2(6)E2a or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches Apply FRN 15.2(6)E2a or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches Apply FRN 15.2(6)E2a or later (Download)

GENERAL SECURITY GUIDELINES

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  3. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
04-April-2019 1.0 Initial release

KCS Status

Released

High
PN1045 | PN1045 | Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities
Published Date:
April 04, 2019
Last Updated:
April 04, 2019
CVE IDs:
CVE-2018-0466, CVE-2018-0473, CVE-2018-15373, CVE-2018-0470, CVE-2018-0467
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
7.5, 7.4, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities

Description

Version 1.0 - April 4, 2019

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. Five of these vulnerabilities affect the six Allen-Bradley Stratix® and ArmorStratix™ products listed in the Affected Products section below.

AFFECTED PRODUCTS

  • Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches - all versions PRIOR to 15.2(4)EA7
  • Allen-Bradley Stratix 5400 Industrial Ethernet Switches - v15.2(6)E0a and earlier
  • Allen-Bradley Stratix 5410 Industrial Distribution Switches - v15.2(6)E0a and earlier
  • Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - v15.2(6)E0a and earlier
  • Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches - v15.2(6)E0a and earlier
  • Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - v15.2(6)E0a and earlier

VULNERABILITY DETAILS

Vulnerability #1: Open Shortest Path First (OSPF v3) Denial of Service
A vulnerability in the Open Shortest Path First version 3 (OSPFv3) implementation in Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload.

The vulnerability is due to incorrect handling of specific OSPFv3 packets. An attacker could exploit this vulnerability by sending crafted OSPFv3 Link-State Advertisements (LSA) to an affected device. An exploit could allow the attacker to cause an affected device to reload, leading to a denial of service (DoS) condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ospfv3-dos.

CVE-2018-0466 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #2: Hypertext Transfer Protocol (HTTP) Denial of Service
A vulnerability in the web framework of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to the affected software improperly parsing malformed HTTP packets that are destined to a device. An attacker could exploit this vulnerability by sending a malformed HTTP packet to an affected device for processing. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos.

CVE-2018-0470 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #3: Precision Time Protocol (PTP) Denial of Service
A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Precision Time Protocol.

The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device. A successful exploit could allow the attacker to cause a DoS condition for the PTP subsystem, resulting in time synchronization issues across the network.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp.

CVE-2018-0473 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/.

Vulnerability #4: IPv6 Hop-by-Hop Options Denial of Service
A vulnerability in the IPv6 processing code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to incorrect handling of specific IPv6 hop-by-hop options. An attacker could exploit this vulnerability by sending a malicious IPv6 packet to or through the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipv6hbh.

CVE-2018-0467 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #5: Software Cisco Discovery Protocol Denial of Service
A vulnerability in the implementation of Cisco Discovery Protocol functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper memory handling by the affected software when the software processes high rates of Cisco Discovery Protocol packets that are sent to a device. An attacker could exploit this vulnerability by sending a high rate of Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-dos.

CVE-2018-15373 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Family Affected Versions Updates Available
Stratix 5400 Industrial Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E2a or later (Download)
Stratix 5410 Industrial Distribution Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E2a or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E2a or later (Download)
Stratix 8300 Modular Managed Ethernet Switches 15.2(4a)EA5 and earlier Apply FRN 15.2(4)EA7 or later (Download)
Stratix 8000 Modular Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E2a or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E2a or later (Download)

GENERAL SECURITY GUIDELINES

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
  2. Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
  3. Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used Rockwell Automation® products, see Knowledgebase Article ID 898270.
  4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
04-April-2019 1.0 Initial release

KCS Status

Released

High
PN977 | PN977 | MicroLogix 1100 Controllers Malformed Packet Denial of Service
Published Date:
April 03, 2019
Last Updated:
April 03, 2019
CVE IDs:
CVE-2017-7924
Products:
MicroLogix 1100 Controllers
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1100 Controllers Malformed Packet Denial of Service

Description

Version 1.1 - April 3, 2019
Version 1.0 - May 18, 2017

A vulnerability exists in the MicroLogix™ 1100 controllers that, if successfully exploited, can cause a Denial of Service (DoS) condition. These controllers are used to control processes across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to this discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

  • Micrologix 1000 Controllers
    • 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD

VULNERABILITY DETAILS

A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a Denial of Service (DoS) condition. PCCC messages are supported on Serial as well as Ethernet communication ports. The vulnerability is due to improper handling of PCCC messages.

CVE-2017-7924 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Catalog Numbers Suggested Actions
Micrologix 1100 1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD
  • Apply FRN 16.0 or later (Downloads)
  • CheckPoint Software Technologies has released intrusion prevention system ("IPS") rules that detect attempts to exploit this vulnerability. For details about these IPS rules, please see Check Point Advisory CPAI-2019-0399

GENERAL SECURITY GUIDELINES

  1. Block all traffic to EtherNet/IP™ connected devices or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices that host them.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
18-MAY-2017 1.0 Initial Release
03-APR-2019 1.1 Updated with IPS rule from Check Point, CVE link
Attachments

KCS Status

Released

High
PN1043 | PN1043 | PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service
Published Date:
March 29, 2019
Last Updated:
February 04, 2025
CVE IDs:
CVE-2018-19282
Products:
PowerFlex 525 AC Drives
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Introduction

PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service

Description

Version 1.1 - March 29, 2019
Version 1.0 – March 28, 2019

Rockwell Automation received a report from security researcher Nicholas Merle of Applied Risk regarding a communication disruption/Denial of Service vulnerability in the embedded Ethernet port of PowerFlex® 525 AC drives.

A firmware upgrade to the PowerFlex 525 drive corrects this vulnerability. We encourage affected customers to evaluate the mitigations provided below and apply the appropriate mitigations based on their deployed products. Additional details relating to the discovered vulnerability, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

PowerFlex 525 AC Drives with Embedded EtherNet/IP Port

  • Firmware revisions 5.001 and earlier

Note: The 25-COMM-E2P Dual-Port EtherNet/IP Adapter, sometimes used with the PowerFlex 525 AC Drive, is not affected by this vulnerability.

VULNERABILITY DETAILS

A remote, unauthenticated threat actor who gains access to the Ethernet network containing a PowerFlex 525 drive can repeatedly send specific CIP packets to an affected PowerFlex 525 drive. These repeated packets can result in resource exhaustion, denial of service, and/or memory corruption. The affected drive will also be in a state where new messages cannot be received by the drive over its embedded EtherNet/IP port, including over existing CIP explicit messaging connections. The resource exhaustion affects EtherNet/IP explicit messaging to the drive, including establishing new (or reestablishing lost) CIP I/O connections to the drive. However, existing CIP I/O connections to the drive will continue to operate normally. A manual reboot is required in order to restore the normal functioning of the device.

CVE-2018-19282 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected firmware revisions are encouraged to update to an available firmware revision that addresses the vulnerability. Customers who are unable to update their firmware are encouraged to employ one or more of the general security guidelines in the next section of this document.

Product Family Catalog Numbers Suggested Actions
PowerFlex 525 AC Drives with an Embedded EtherNet/IP Port.

Catalog numbers beginning with "25B-".

For more information about catalog numbers, see page 13 of the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual.

 Update to firmware revision 5.002 or later (Download).

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that CIP™ messages from unauthorized sources are blocked.
  • Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  • If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet or the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the vulnerability handling process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing Rockwell Automation and Cisco validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

 

REVISION HISTORY

Date Version Details
28-March-2019 1.0 Initial release
29-March-2019 1.1 Added additional publication links
Attachments

KCS Status

Released

 

Critical
PN1061 | PN1061 | RSLinx Classic Denial of Service/Remote Code Execution Vulnerability
Published Date:
March 04, 2019
Last Updated:
March 04, 2019
CVE IDs:
CVE-2019-6553
Products:
RSLinx Classic (Single Node
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic Denial of Service/Remote Code Execution Vulnerability

Description

Version 1.0 - March 04, 2019

Rockwell Automation received a report from Tenable regarding a potential vulnerability in versions of RSLinx® Classic software, which if successfully exploited, can cause memory corruption issues. A successful exploitation may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine.

RSLinx® Classic is a software solution that Allen-Bradley® Programmable Logic Controllers (PLCs) use to connect to a wide variety of software applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

RSLinx Classic, v4.10.00 and earlier

VULNERABILITY DETAILS

An input validation issue exists in a .dll file of RSLinx Classic where the data in a Forward Open service request is passed to a fixed size buffer. This buffer overflow may terminate the RSLinx.exe application causing a Denial of Service, and/or potentially allow the threat actor to remotely execute arbitrary code on the victim’s machine.

CVE-2019-6553 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned. This high CVSS score reflects the potential impact of a successful remote code execution scenario, where a threat actor is able to gain full control of the victim’s machine.

For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected software versions are encouraged to assess their level of risk and, if necessitated, update their software to an available revision that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

  1. Update products according to this table:
Product Family Catalog Numbers Suggested Actions
RSLinx Classic 9355-WABx Currently, software patches have been released to address the following versions of RSLinx Classic:
V3.60
V3.70
V3.80
V3.81
V3.90
V4.00.01
V4.10

These patches can be found at Knowledgebase Article ID: 1084828
  1. Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
    1. Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
    2. Note: In RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
04-March-2019 1.0 Initial Release
Attachments

KCS Status

Released

Medium
PN1058 | PN1058 | EtherNet/IP Web Server Module SNMP Service Denial of Service
Published Date:
February 06, 2019
Last Updated:
February 06, 2019
CVE IDs:
CVE-2018-19016
Products:
Ethernet/IP Connected Products, 1756 ControlLogix I/O
CVSS Scores:
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

EtherNet/IP Web Server Module SNMP Service Denial of Service

Description

Version 1.1 - Feb 06, 2019
Version 1.0 - Feb 04, 2019

Rockwell Automation received a report from researchers at Tenable regarding a potential vulnerability which affects EtherNet/IP™ Web Server modules that, if successfully exploited, can allow a threat actor to deny communication with the Simple Network Management Protocol (SNMP) service until the device can be restarted.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply them appropriately to deployed products.

AFFECTED PRODUCTS

EtherNet/IP Web Server Modules

  • 1756-EWEB (includes 1756-EWEBK), v5.001 and earlier

CompactLogix™ Controller EtherNet/IP Web Server Module

  • 1768-EWEB, v2.005 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a crafted UDP packet to the affected product’s SNMP service. Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.

CVE-2018-19016 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed and, if necessary, contact their local distributor or Sales Office.

Product Family Catalog Numbers Suggested Actions
EtherNet/IP Web Server Module 1756-EWEB
Series A, All Versions
Series B, All Versions		 See NOTE: below for additional recommended actions
CompactLogix EtherNet/IP Web Server Module 1768-EWEB, All Versions See NOTE: below for additional recommended actions

NOTE: Customers are urged to evaluate their level of risk and, if necessary, contact their local distributor or Sales Office.

GENERAL SECURITY GUIDELINES

  1. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP messages from unauthorized sources are blocked.
  2. Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the manufacturing zone by blocking or restricting access to UDP port 161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  3. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
06-Feb-2019 1.1 ICS-CERT and Tenable Advisory links added
04-Feb-2019 1.0 Initial Release
Attachments

KCS Status

Released

High
PN1033 | PN1033 | FactoryTalk Services Platform Denial of Service
Published Date:
November 27, 2018
Last Updated:
November 27, 2018
CVE IDs:
CVE-2018-18981
Products:
FactoryTalk Services Platform, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk VantagePoint, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk View SE, FactoryTalk Historian SE, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, Studio 5000 View Designer, FactoryTalk AssetCentre, FactoryTalk ViewPoint
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Services Platform Denial of Service

Description

Version 1.0 - November 27, 2018

Rockwell Automation received a report detailing vulnerabilities in software components that are shared by products that utilize the FactoryTalk® Services Platform. These vulnerabilities, if successfully exploited, may result in diminished communication or complete communication loss (denial of service) to the products that utilize the targeted services. FactoryTalk Services Platform consists of a suite of services, which create a services-oriented architecture (SOA). The SOA enables real-time data sharing across a range of software applications used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

FactoryTalk Services Platform, v2.90 and earlier.

Note: This vulnerability is addressed in FactoryTalk Services Platform v3.00. Additional software patches and details are provided in the Risk Mitigations and Recommended User Actions section below.

Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you have a product from the following list, you may also be affected. If you are unsure of which FactoryTalk Services Platform version is installed on your machine, see Knowledgebase Article ID 25612 for additional details.

  • FactoryTalk AssetCentre
  • FactoryTalk Activation Manager
  • FactoryTalk Alarms & Events
  • FactoryTalk Batch
  • FactoryTalk eProcedure®
  • FactoryTalk Gateway
  • FactoryTalk Historian Site Edition (SE)
  • FactoryTalk Linx (formerly: RSLinx Enterprise)
  • FactoryTalk Metrics
  • FactoryTalk Transaction Manager
  • FactoryTalk VantagePoint®
  • FactoryTalk View Machine Edition (ME) (Studio Only - no impact to PanelView Plus products)
  • FactoryTalk View Site Edition (SE)
  • FactoryTalk ViewPoint SE
  • RSLinx® Classic
  • RSLogix 5000® (v20 Only) / Studio 5000 Logix Designer®
  • RSNetWorx™
  • Studio 5000 Architect®

VULNERABILITY DETAILS

A remote, unauthenticated threat actor could send numerous crafted packets the following service ports: 1332, 5241, 6543, and 4241, resulting in a growth in memory consumption that could lead to a partial or complete denial of service condition to products utilizing the targeted services until the process is restarted.

CVE-2018-18981 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Currently Installed Suggested Actions
FactoryTalk® Services Platform, v2.90 and earlier Update FactoryTalk Services Platform to v3.00 and later (Download)

For customers who are unable to update to V3.00, software patches have been released for the following versions:
V2.74
V2.80
V2.81
V2.90
These patches can be found at Knowledgebase Article ID 1082055.

GENERAL SECURITY GUIDELINES

  1. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  2. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  3. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
  4. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
  5. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  6. Use trusted software, software patches, and anti-virus/anti-malware programs.
  7. Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  8. Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
  9. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
27-Nov-2018 1.0 Initial Release
Attachments

KCS Status

Released

High
PN1042 | PN1042 | MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service
Published Date:
November 06, 2018
Last Updated:
November 06, 2018
Products:
1756 ControlLogix I/O
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service

Description

Version 1.0 - November 6, 2018

Rockwell Automation received a report from ICS-CERT regarding a vulnerability that exists in certain products that, if successfully exploited, can allow a threat actor to disrupt Ethernet communication by allowing Internet Protocol (IP) configuration changes to the affected device in the system. The affected products include MicroLogix™ 1400 controllers, and 1756 ControlLogix® Ethernet/IP Communications Modules.

These products currently adhere to the ODVA EtherNet/IP standard. We have addressed the risks exposed by this specific issue, and have taken additional action with ODVA to produce a standard that improves the security protocol utilized by industrial automation devices including those developed by Rockwell Automation.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers

  • Series A, All Versions
  • Series B, v21.003 and earlier
  • Series C, v21.003 and earlier

1756 ControlLogix EtherNet/IP Communications Modules

  • 1756-ENBT, All Versions
  • 1756-EWEB
    • Series A, All Versions
    • Series B, All Versions
  • 1756-EN2F
    • Series A, All Versions
    • Series B, All Versions
    • Series C, v10.10 and earlier
  • 1756-EN2T
    • Series A, All Versions
    • Series B, All Versions
    • Series C, All Versions
    • Series D, v10.10 and earlier
  • 1756-EN2TR
    • Series A, All Versions
    • Series B, All Versions
    • Series C, v10.10 and earlier
  • 1756-EN3TR
    • Series A, All Versions
    • Series B, v10.10 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a CIP connection request to an affected device and, upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system. Reason being, the system traffic is still attempting to communicate with the device via the IP address that was overwritten.

Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update their firmware are directed towards additional risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family Catalog Numbers Suggested Actions
MicroLogix™ 1400 Controllers 1766-Lxxx, Series A No direct mitigation provided.
See NOTE: below for recommended actions.
MicroLogix™ 1400 Controllers 1766-Lxxx, Series B or C 1. Apply FRN 21.004 and later (Download)
2. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See the MicroLogix 1400 Programmable Controllers User Manual for details.
1756 EtherNet/IP Web Server Module 1756-EWEB, All Series No direct mitigation provided.
See NOTE: below for recommended actions.
1756 ControlLogix® EtherNet/IP Communications Modules 1756-ENBT, All Versions

1756-EN2F
Series A, All versions
Series B, All versions

1756-EN2T
Series A, All Versions
Series B, All Versions
Series C, All Versions

1756-EN2TR
Series A, All Versions
Series B, All Versions

1756-EN3TR
Series A		 No direct mitigation provided.
See NOTE: below for recommended actions.
1756 ControlLogix® EtherNet/IP Communications Modules 1756-EN2F, Series C
1756-EN2T, Series D
1756-EN2TR, Series C
1756-EN3TR, Series B		 1. Apply FRN 11.001 and later (Download)
2. Once the new FRN is applied, enable Explicit Protected Mode. See the EtherNet/IP Network Configuration User Manual for details.

NOTE: Customers that are sent here from the Suggested Action column above are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
06-Nov-2018 1.0 Initial Release.
Attachments

KCS Status

Released

Medium
PN885 | PN885 | CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability
Published Date:
November 01, 2018
Last Updated:
November 01, 2018
CVE IDs:
CVE-2016-2279
Products:
1756 ControlLogix I/O
CVSS Scores:
6.1
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Description

Version 1.2 - November 1, 2018

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley® CompactLogix™ controller platform. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the CompactLogix™ platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

2016-03-01 UPDATE v1.1: Rockwell Automation has identified additional products containing this vulnerability, and these products are listed below. See the Risk Mitigations section below for information on available product firmware updates.

2018-11-01 UPDATE v1.2: Rockwell Automation received a report from an external researcher identifying additional product families that contain this vulnerability. These products are listed below. Please see the Risk Mitigations section for information on available firmware updates that address these vulnerabilities.

AFFECTED PRODUCTS/TECHNOLOGIES

2016-03-01 UPDATE: Additional Products:

  • 1769-L23E-QB1B, Version 20.018 and earlier (Will be discontinued in June 2016)
  • 1769-L23E-QBFC1B, Version 20.018 and earlier (Will be discontinued in June 2016)

2018-11-01 UPDATE: Additional Products:

  • 1756-EN2F
    • Series A, All Versions
    • Series B, All Versions
  • 1756-EN2T
    • Series A, All Versions
    • Series B, All Versions
    • Series C, All Versions
    • Series D, Version 10.007 and earlier
  • 1756-EN2TR
    • Series A, All Versions
    • Series B, All Versions
  • 1756-EN3TR
    • Series A, All Versions
  • 1769-L16ER-BB1B, Version 27.011 and earlier
  • 1769-L18ER-BB1B, Version 27.011 and earlier
  • 1769-L18ERM-BB1B, Version 27.011 and earlier
  • 1769-L24ER-QB1B, Version 27.011 and earlier
  • 1769-L24ER-QBFC1B, Version 27.011 and earlier
  • 1769-L27ERM-QBFC1B, Version 27.011 and earlier
  • 1769-L30ER, Version 27.011 and earlier
  • 1769-L30ERM, Version 27.011 and earlier
  • 1769-L30ER-NSE, Version 27.011 and earlier
  • 1769-L33ER, Version 27.011 and earlier
  • 1769-L33ERM, Version 27.011 and earlier
  • 1769-L36ERM, Version 27.011 and earlier

VULNERABILITY DETAILS

The vulnerability in the web application of the affected device allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser by a process known as Reflective Cross Site Scripting. The impact to the user’s automation system would be highly dependent on both the type of JavaScript exploit included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the Programmable Automation Controller or Communications module itself. Instead, they are vehicles to deliver an attack to the web browser.

A successful attack would not compromise the integrity of the device nor allow access to confidential information contained on it. On rare occasions, the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

CVE-2016-2279 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

RISK MITIGATIONS

  1. The following table summarizes available mitigations for each affected product:
    2018-11-01 UPDATE: Added 1756 ControlLogix Ethernet/IP Communications Modules
    Platform Catalog Number Recommendation
    1756 ControlLogix® EtherNet/IP Communications Modules 1756-ENBT, All Versions

    1756-EN2F
    Series A, All versions
    Series B, All versions

    1756-EN2T
    Series A, All Versions
    Series B, All Versions
    Series C, All Versions

    1756-EN2TR
    Series A, All Versions
    Series B, All Versions

    1756-EN3TR
    Series A    		 No direct mitigation provided. See NOTE: below for recommended actions.
    1756 ControlLogix® EtherNet/IP Communications Modules 1756-EN2F, Series C
    1756-EN2T, Series D
    1756-EN2TR, Series C
    1756-EN3TR, Series B    		 Apply FRN 10.010 or later (Download)
    Small Controllers:
    CompactLogix™ 5370 L1
    CompactLogix™ 5370 L2
    CompactLogix™ 5370 L3    		 1769-L16XX
    1769-L18XX
    1769-L24XX
    1769-L27XX
    1769-L30XX
    1769-L33XX
    1769-L36XX    		 1. Apply FRN 28.011 or later (Download)

    2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030
    CompactLogix™ Packaged Controllers 1769-L23E-QB1B
    1769-L23E-QBFC1B    		 Discontinued as of June 2016

    1.1769-L23E-QB1B: Recommend Migration to 1769-L24ER-BB1B

    1769-L23E-QBFC1B: Recommend Migration to 1769-L24ER-QBFC1B

    2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030

    NOTE: Customers using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

  2. Do not click on or open URL links from untrusted sources.
  3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  4. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Interne.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network
  6. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
03-SEP-2015 1.0 Initial Release
01-MAR-2016 1.1 Update: Additional Products
01-NOV-2018 1.2 Update: Additional Products and ISP Definition
Attachments

KCS Status

Released

PN1011 | PN1011 | Rockwell Automation Briefing on Meltdown and Spectre vulnerabilities.
Published Date:
October 01, 2018
Last Updated:
October 01, 2018
Products:
Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Interface Manager, Reporting, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSPower, Entek, RSLogix Emulate 5, PBase, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, RSPowerTools, WSIntegrate, PID Logistics 500, RSMACC, FactoryTalk VantagePoint EMI, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, WINtelligent Quality, PID Logistics 5, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, ERP Integration Gateway, ECO, Historical Transfer, RS PMX CTM, RSTestStand, RSWorkbench, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Other, Reports (Custom), 6200-PLC2, RSMailman, Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Rockwell Automation Briefing on "Meltdown" and "Spectre" vulnerabilities.

Description

Version 1.8 - October 1, 2018
Version 1.7 - February 14, 2018
Version 1.6 - February 6, 2018
Version 1.5 - February 2, 2018
Version 1.4 - January 26, 2018
Version 1.3 - January 23, 2018
Version 1.2 - January 18, 2018
Version 1.1 - January 10, 2018
Version 1.0 - January 8, 2018

On January 3, 2018, a set of new hardware kernel level vulnerabilities, named "Meltdown" and "Spectre", were announced by researchers. Both Spectre and Meltdown are vulnerabilities that affect modern microprocessors allowing malicious processes to access the contents of restricted memory and therefore affect multiple generations of Central Processing Units (CPUs).

Rockwell Automation is aware of these vulnerabilities and of how they could, if exploited, potentially impact our customers’ environments. Rockwell Automation is diligently working through the process of evaluating how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate third party microprocessors. Rockwell Automation will continue to provide updated information as soon as reliable performance tests are completed.

AFFECTED PRODUCTS

Rockwell Automation Products
Rockwell Automation is currently investigating its product portfolio in order to identify which of its products may be directly affected by the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation, and will update this advisory if necessary.

UPDATE: Oct 01, 2018

Rockwell Automation has released new BIOS for certain Industrial Environment Computers that address the Meltdown and Spectre vulnerabilities. See below for details.

UPDATE: Feb 06, 2018

As of this writing, Rockwell Automation has evaluated many of our product families. Depending on the products’ architectures, effects of the Meltdown and Spectre vulnerabilities may significantly vary. Below is more information on Rockwell Automation’s evaluation.

NOTE: Rockwell Automation may continue to evaluate additional products that we suspect to be affected and will update this advisory accordingly.

I. Rockwell Automation has concluded that the following Active or Active Mature products contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Please see Knowledgebase Article ID 1071234 for detailed information about which Rockwell Automation-qualified Microsoft patches to apply to your products based on the Windows Operating System in use. As BIOS updates become available, Rockwell Automation will continue to update this advisory. The products are as follows:

Product Family Affected Versions Bul. #
6181X Hazardous Location Computers Series H, All Versions Bul. 6181X
6181P Integrated Display Computers Series F, All Versions Bul. 6181P
6177R Non-Display Computers Series C, All Versions Bul. 6177R
VersaView® 5400 Industrial Computers Series A, All Versions Bul. 6200P
VersaView® 5200 ThinManager® Thin Clients Series A, All Versions Bul. 6200T


In addition, Rockwell Automation has also determined the following discontinued products are similarly affected. Customers with discontinued products are encouraged to contact their local distributor or Sales Office to discuss a migration path to Active product lines.

Product Family Affected Versions Bul. #
6181X Hazardous Location Computers Series E, F, G, All Versions Bul. 6181X
6181P Integrated Display Computers Series A-E, All Versions Bul. 6181P
6177R Non-Display Computers (750R & 1450R) Series A, B, All Versions Bul. 6177R
6155R/F Compact Non-Display Computers (200R) All Versions Bul. 6155R & Bul. 6155F
6180P Integrated Display Computer with Keypad (1200P & 1500P) All Versions Bul. 6180P
6180W VersaView Industrial Workstations (1200W & 1500W) All Versions Bul. 6180W
6181F Integrated Display Computer (NDM, 1200P, 1500P, 1700P) All Versions Bul. 6181F
6181H Integrated Display Computer (1500P) All Versions Bul. 6181H
6183H Hazardous Location Computer (1200P) All Versions Bul. 6183H


Please see the Microsoft Patch Qualification section below for additional mitigation strategies.

II. The following products are Active or Active Mature and contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. However, as a result of the product architecture, Rockwell Automation has concluded that the Meltdown and Spectre vulnerabilities do not pose a significant risk to these products:

Product Family Affected Versions Bul. #
ControlLogix® 5580 Controllers All Versions • 1756-L8
5069 CompactLogix™ 5380 Controllers All Versions • 5069-L3
5069 Compact I/O™ EtherNet/IP Adapters All Versions • 5069-AENTR
• 5069-AEN2TR
5069 Compact I/O™ Modules All Versions • 5069-Ix
• 5069-Ox
ControlLogix® EtherNet/IP Modules All Versions • 1756-EN2F, Series C
• 1756-EN2T, Series D
• 1756-EN2TP, Series A
• 1756-EN2TR, Series C
• 1756-EN2TRXT, Series C
• 1756-EN2TSC, Series B
• 1756-EN2TXT, Series D
• 1756-EN2TK, Series D
• 1756-EN2TRK, Series C
FactoryTalk® Analytics for Devices All Versions • 6200P-NS3C6
FactoryTalk® Historian Machine Edition (ME) Module All Versions • 1756-HIST
PowerFlex® 755T Drive Solutions All Versions • Bul. 20G
Kinetix® 5700 Modules (Single Axis, Double Axis) All Versions • 2198-Sxxx
• 2198-Dxxx
PowerFlex® 750 Series EtherNet/IP Option Module - Dual Port All Versions • 20-750-ENETR
PowerFlex® 750 Series Safe Speed Monitor Option Module All Versions • 20-750-S1
PowerFlex® 527 Compact-Class AC Drives All Versions • Bul. 25C
PowerFlex® 753 Architecture-Class AC Drives All Versions • Bul. 20F
PowerFlex® 7000 Medium Voltage AC Drives All Versions • Catalogs 7000, 7000A, 7000L
PowerFlex® 6000 Medium Voltage AC Drives All Versions • Catalogs 6000, 6000U
PanelView™ 5310 Operator Interface Terminal All Versions • 2713P-xx
PanelView™ Plus 7 Standard All Versions • 2711P-XXXXXXXX8S
PanelView™ 5500 All Versions • 2715-xx
PanelView™ Plus 7 Performance All Versions • 2711P-XXXXXXXX9P
PanelView™ Plus 6 400-600 All Versions

• 2711P-X*XXX8 and 2711P-X*XXX9
(where * is either 4 or 6)
PanelView™ Plus 6 Compact 400 and 600 All Versions • 2711PC-X4XXXD8
• 2711PC-X6XXXD8
MobileView™ All Versions • 2711T-B10I1N1
• 2711T-B10R1K1
• 2711T-B10R1M1
• 2711T-F10G1N1
• 2711T-T10G1N1
• 2711T-T10R1N1


III. Lastly, Rockwell Automation has concluded that the following products do not to contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Therefore these products are not affected by the reported vulnerabilities.

Product Family Bul. #
ControlLogix® 5570 Controllers • 1756-L7
GuardLogix® 5570 Controllers • 1756-L7S
ControlLogix® 5560 Controllers • 1756-L6
GuardLogix® 5560 Controllers • 1756-L6S
ControlLogix® L55 Controllers • 1756-L55x
CompactLogix™ 5370 L1, L2, L3 • 1769-L1
• 1769-L2
• 1769-L3
ControlLogix® EtherNet/IP Modules • 1756-ENBT
ControlLogix® Web Server Modules • 1756-EWEB
1769 CompactLogix™ L23x Controllers • 1769-L23
1769 CompactLogix™ L3x Controllers • 1769-L31
• 1769-L32
• 1769-L35
1768 CompactLogix™ L4x Controllers • 1768-L4x
PanelView™ Plus 6 700-1500 • 2711P-X*XXX8 and 2711P-X*XXX9
(where * is either 7, 10, 12, or 15)
PanelView™ Plus 6 Compact 1000 • 2711PC-T10C4D8
Kinetix 5500 Servo Drives • 2198-Hxxx
Stratix® 8000 Modular Managed Switches • 1783-MS
Stratix® 8300 Modular Managed Switches • 1783-RMS
Stratix® 5400 Industrial Ethernet Switches • 1783-HMS
Stratix® 5410 Industrial Distribution Switches • 1783-IMS
Stratix® 5700 Industrial Managed Ethernet Switches • 1783-BMS
ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments • 1783-ZMS
Stratix® 2500 Lightly Managed Switches • 1783-LMS
Stratix® 5900 Services Router • 1783-SRKIT
Stratix® 5950 Security Appliance • 1783-SAD
Stratix® 5100 Wireless Access Point/Workgroup Bridge • 1783-WAP
PowerFlex® 523 Compact-Class AC Drives • Bul. 25A
PowerFlex® 525 Compact-Class AC Drives • Bul. 25B
PowerFlex® 4M Compact-Class AC Drives • Bul. 22F
PowerFlex® 40 Compact-Class AC Drives • Bul. 22B
PowerFlex® 40P Compact-Class AC Drives • Bul. 22B
PowerFlex® 400 Compact-Class AC Drives • Bul. 22C
PowerFlex® 70 Architecture-Class AC Drives • Bul. 20A
PowerFlex® 700 Architecture-Class AC Drives • Bul. 20B
PowerFlex® 700L Architecture-Class AC Drives • Bul. 20L
PowerFlex® 700S Architecture-Class AC Drives • Bul. 20D
ArmorStart® Distributed Motor Controllers • Bul. 280
• Bul. 281
• Bul. 283
• Bul. 284
ArmorStart® LT Distributed Motor Controller • Bul. 290
• Bul. 291
• Bul. 294
ArmorStart® ST Motor Controllers: Safety and Standard Versions • Bul. 281E
• Bul. 284E
Mega DySC® Three-Phase Voltage Sag Correction System • Bul. 1608M
Mini DySC® Single-Phase Voltage Sag Correction • Bul. 1608N
ProDySC® Three-Phase Voltage Sag Correction • Bul. 1608P


UPDATE: Oct 01, 2018

A new BIOS was released to address the Meltdown and Spectre vulnerabilities that affect these specific series for the following products:

Product Family Bul. # Series with new BIOS
6181X Hazardous Location Computers Bul. 6181X Series H, All Versions
6181P Integrated Display Computers Bul. 6181P Series F, All Versions
6177R Non-Display Computers Bul. 6177R Series C, All Versions


The new BIOS is available for download in the Product Compatibility and Download Center (PCDC). To find the new BIOS, search for each individual catalog number and go to the download page for the corresponding series listed above. Note that there is only one BIOS version available on PCDC under each of these products; this BIOS version that is available is the updated version that addresses the Meltdown and Spectre vulnerabilities.

UPDATE: Jan 10, 2018

Industrial Data Center (IDC)
Rockwell Automation is currently working with its software and hardware partners that make up the E1000, E2000 and E3000 Industrial Data Center (IDC) solution to obtain appropriate patches and updates to address the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation and provide updates in Knowledgebase Article ID 1071279. For IDC customers with a monitoring and administration contract, please contact Tech Support for assistance with this issue.

Microsoft Patch Qualification
Microsoft has released guidance for Windows Client and Windows Server Operating Systems. As of this writing, the Rockwell Automation MS Patch Qualification team is currently executing their validation processes on security updates related to the "Meltdown" and "Spectre" vulnerabilities. When these tests have been successfully completed, the test results will be made available through the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

UPDATE: Feb 14, 2018

Rockwell Automation evaluated the performance of FactoryTalk® View Site Edition and FactoryTalk® View Point actions on Windows systems updated with the Microsoft Meltdown and Spectre updates. Many factors are involved in affecting the performance of systems with these mitigations; these can include but are not limited to the CPU version, the age of the operating system, and the burden of the workload on the system. In addition to the performance data provided below, customers may also find the Microsoft blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems helpful, as it provides rough estimates on the performance impact as it relates to the class of CPU and the Windows operating system.

FactoryTalk View SE

Test Environment

Rockwell Automation:Test Setup Information
Server Details Client Details
OS Windows Server 2008 R2 Standard SP1 Windows 7 Pro SP1
CPU Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket
RAM 8GB 8GB
Tested Version 10.00.00.290 10.00.00.290
Microsoft Patches Installed

KB4056894: January Monthly Roll-up
KB4056897: Security Only Update

KB4056894: January Monthly Roll-up
KB4056897: Security Only Update


Test Results

Operating System Test Case: Display Update Rate Before Patch:
Avg (seconds)		 After Patch:
Avg (seconds)		 Change (%)
Windows 7 Pro SP1 x64 Load Display with 3000 numeric values (HMI tags)

1

1.1

10.000%
Load Display with 3000 numeric values (Direct Reference tags)

1.4

1.2

-14.286%
Load Display with 3000 animations

3

4.3

43.333%
Download 3000 tags from recipe

17.9

23.5

31.285%
Windows 2008 R1 Std Load Display with 3000 numeric values (HMI tags)

1.1

1.2

9.091%
Load Display with 3000 numeric values (Direct Reference tags)

1.3

1.1

-15.385%
Load Display with 3000 animations

3.3

4.4

33.333%
Download 3000 tags from recipe

18.4

17.2

-6.522%

FactoryTalk ViewPoint

Test Environment

Rockwell Automation:Test Setup Information
Server Details Client Details
OS Windows Server 2008 R2 Standard SP1 64-bit Windows 7 Enterprise SP1 64-bit
CPU Intel Xeon CPU E5-1607 v3 @3.10GHz Intel Core i3-4150 CPU @3.50GHz
RAM 8GB 4GB
Browser N/A Chrome v63.0.3239.84
Tested Version 10.00.00.290 10.00.00.290
Microsoft Patches Installed

KB4056894: January Monthly Roll-up
KB4056897: Security Only Update

KB4056894: January Monthly Roll-up
KB4056897: Security Only Update


Test Results

Overview: Test Case Details Before Patch:
Avg (seconds)		 After Patch:
Avg (seconds)		 Change (%)
Switching displays, recording loading time for each display Overview Display

2.78

2.85

2.518%
Image Heavy Display

3.15

3.90

23.810%
Data Heavy Display

2.18

2.51

15.138%
Recording 10,000 recipes downloading and refreshing time Download 10,000 recipes

96.54

98.96

2.507%
Refresh 10000 recipes

18.22

17.80

-2.305%
Color Animation Blinking Rate
(Rate = 1 second)		 Blink Rate (actual)

1.16

1.19

2.586%
Color Animation Blinking Rate
(Rate = 0.5 second)		 Blink Rate (actual)

0.71

0.77

8.451%
Recording time for 2000 Alarm Trigger Recording Time for 2000 Alarm Trigger

10.38

10.57

1.830%
Rendering time for 1000 Tags Rendering Time for 1000 Tags

2.29

2.45

6.987%

UPDATE: Feb 2, 2018

Knowledgebase Article ID 1071234 has been updated to include new patches for Windows 10 that have been qualified by the Rockwell Automation MS Patch Qualification team.

UPDATE: Jan 26, 2018

As of January 26, 2018, the Rockwell Automation MS Patch Qualification team has successfully qualified several Microsoft patches related to the "Meltdown" and "Spectre" vulnerabilities. For detailed and useful information about which qualified Microsoft patches to apply based on your Windows Operating System, please see Knowledgebase Article ID 1071234 under "Solution". Rockwell Automation will continue to test Microsoft patches related to "Meltdown" and "Spectre" and will update Knowledgebase Article ID 1071234 accordingly.

Note: Applying certain Microsoft patches released in early January have been found to cause anomalous behavior in several Rockwell software products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. If you have been experiencing software issues after installing a Microsoft update to patch "Meltdown" and "Spectre", and/or you would like to see a list of patches known to cause this irregular behavior, please see Knowledgebase Article ID 1071234.

Additionally, Rockwell Automation recommends:

  • Contact your PC/Server vendor for any associated firmware updates that may also be required to further reduce risk.
  • Before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, Knowledgebase Article ID 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring additional updates from both Microsoft and your PC/Server vendor(s).

GENERAL SECURITY GUIDELINES

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
01-Oct-2018 1.8 Update: Patches for Industrial PCs
14-Feb-2018 1.7 Update: FactoryTalk Software Performance Statistics
06-Feb-2018 1.6 Update: Affected Hardware Products Listed
02-Feb-2018 1.5 Update: Windows 10 Patch Qualification Information posted to Article ID 1071234.
26-Jan-2018 1.4 Update: Moved and clarified location for MS Patch Qualification details (Article ID 1071234).
23-Jan-2018 1.3 Update: Microsoft Patch Qualification for Windows 8.1, Windows Server 2012 R2 / Windows Server 2012 R2 SP1, and Windows Server 2016.
18-Jan-2018 1.2 Update: Microsoft Patch Qualification for Windows 7 and Windows Server 2008 R2.
10-Jan-2018 1.1 Update: Affected Products.
05-Jan-2018 1.0 Initial release.

KCS Status

Released

Critical
PN1037 | PN1037 | RSLinx Classic Heap and Buffer Overflow Vulnerabilities
Published Date:
September 20, 2018
Last Updated:
September 20, 2018
CVE IDs:
CVE-2018-14829, CVE-2018-14827, CVE-2018-14821
Products:
RSLinx Classic (Single Node
CVSS Scores:
7.5, 10.0, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic Heap and Buffer Overflow Vulnerabilities

Description

Version 1.0 - September 20, 2018

Rockwell Automation received reports regarding potential vulnerabilities in certain versions of RSLinx® Classic that, if successfully exploited, can cause memory corruption issues which may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine. One of these reports was received from Tenable, a cybersecurity software vendor. RSLinx® Classic is a software solution that allows Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a human machine interface (HMI).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

RSLinx Classic, v4.00.01 and earlier

VULNERABILITY DETAILS

Rockwell Automation received these reports from Tenable, a cybersecurity software vendor, and ICS-CERT, . The report from Tenable contained details regarding Vulnerability #1 and Vulnerability #2. The report from ICS-CERT contained details regarding Vulnerability #3.

Vulnerability #1: Stack Overflow

This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.

CVE-2018-14829 has been assigned to his vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #2: Heap Overflow

This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.

CVE-2018-14821 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Vulnerability #3: Denial of Service

A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.

CVE-2018-14827 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update their software with an available patch that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

  1. Update products according to this table:
Product Family Catalog Numbers Suggested Actions
RSLinx Classic 9355-WABx Currently, software patches have been released to address the following versions of RSLinx Classic.
V3.60
V3.74
V3.80
V3.81
V3.90
V4.00.01
These patches can be found at Knowledgebase Article ID 1075712.
  1. Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
    1. Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
    2. Note: In the next release of RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.
    3. Note: Applying the patch will not change the state of the "Accept UDP Messages on Ethernet Port" setting.

GENERAL SECURITY GUIDELINES

  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP traffic from unauthorized sources are blocked.
  • Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
  • Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
20-Sept-2018 1.0 Initial Release
Attachments

KCS Status

Released

PN715 | PN715 | Advisory on web search tools that identify ICS devices and systems connected to the Internet
Published Date:
September 20, 2018
Last Updated:
September 20, 2018
Products:
Ethernet/IP Connected Products
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Advisory on web search tools that identify ICS devices and systems connected to the Internet

Description

Version 1.1 - September 20, 2018

SUMMARY

This Industrial Security Advisory is intended to raise the awareness to control system owners and operators of increased risks that stem from publicly-available web search tools that identify Internet-connected devices. These types of tools and search utilities can be used for legitimate research purposes; however, they also bear a potential for misuse by threat actors seeking to gather added intelligence about prospective cyber targets.

Rockwell Automation recognizes the potential risk to any device connected in a network that is accessible by unauthorized people, whether the device is isolated within a protected facility or if it is accessible through a remote connection, including the Internet. We are aware that such Internet search tools have the ability to identify Rockwell Automation branded products that are connected, either intentionally or unintentionally by the device owners to the Internet. For this reason, recommendations to mitigate associated risks are provided herein.

BACKGROUND

Web-based tools, including SHODAN and the Every Routable IP Project (ERIPP) provide a means for users to discover information about networked devices that are either knowingly or unknowingly connected to the Internet. Such connected products include, but are not limited to: web servers, routers, webcams, smart phones, VoIP phones, printers and in some cases industrial control products.

The information collected by these search tools about these Internet-facing devices includes device IP addresses and can also include geographic location (i.e. country, city and approximate latitude/longitude), specific product identity information or user-added descriptors that can be learned through device fingerprinting techniques. Some of these tools also provide a means to both search and filter databases for devices that match specific user-defined search criteria.

POTENTIAL RISK to INDUSTRIAL CONTROL DEVICES and SYSTEMS

Many devices cataloged by these search tools have been designed and installed with the full knowledge they are directly connected to the Internet; however, other devices identified by these tools were not intended by the manufacturer, or potentially the device installer to ever carry a direct connection.

As with all networked device and systems, industrial control systems are at risk of both accidental and potentially malicious attacks. The availability of search tools that simplify the process of locating and identifying devices unintentionally connected to the Internet raises associated risk to these devices and systems. It is evident based on the device information that some of these devices and accompanying systems lack recommended security protections facilitated by good security design and infrastructure-level appliances (e.g. firewalls, SIEMs, and intrusion detection systems).

As a consequence, these types of devices and systems may not operate with obscurity and may become exposed to additional unintended risks. Information provided through search tools could aid a curious individual or malicious threat actor in device-tampering activities or even a penetration into the product or connected system in order to facilitate a cyberattack.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Whether or not Internet-facing industrial control devices are identified by these tools, Rockwell Automation encourages all industrial control system (ICS) owners and operators to follow good security design practices.

https://www.rockwellautomation.com/en_NA/capabilities/industrial-networks/technical-data/overview.page?

These practices must also include careful evaluation and monitoring of all industrial control system connection points to an enterprise system and external remote access connections enabled via modems or direct connections to the Internet.

We recommend concerned customers remain vigilant and continue to follow sound security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest customers apply some of the following recommendations and complement this list with their own best-practices:

  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
  2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
  3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
  5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
  6. Make sure that software and control system device firmware is patched to current releases.
  7. Periodically change passwords in control system components and infrastructure devices.
  8. Where applicable, set the controller key-switch/mode-switch to RUN mode.
  9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
20-SEP-2018 1.1 Updated to fix broken links
18-JUL-2012 1.0 Initial Release
Attachments

KCS Status

Released

Critical
PN1018 | PN1018 | FactoryTalk Activation Manager Vulnerabilities
Published Date:
July 20, 2018
Last Updated:
July 20, 2018
CVE IDs:
CVE-2017-13754, CVE-2015-8277
Products:
FactoryTalk Transaction Manager, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk EnergyMetrix, RSLinx Classic (Single Node, RSLogix 5, FactoryTalk Activation, Studio 5000 View Designer, Logix Emulate, FactoryTalk AssetCentre, FactoryTalk Historian SE, RSLogix 500
CVSS Scores:
2.7, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Activation Manager Vulnerabilities

Description

Version 1.2 - July 20, 2018
Version 1.1 - May 29, 2018
Version 1.0 - April 12, 2018

Two vulnerabilities were discovered in components distributed with every installation of FactoryTalk® Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell software products. One vulnerability exists in certain versions of Wibu-Systems CodeMeter; the second vulnerability is in certain versions of Flexera Software FlexNet Publisher, both are license management software.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and include the applicable mitigations in their deployed products. Additional details relating to the vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: July 20, 2018
Cisco has released several Snort Rules to addressing the Flexera software vulnerability. See the Risk Mitigations and Recommended User Actions section for more details.

AFFECTED PRODUCTS

FactoryTalk Activation Manager v4.00.02 and v4.01

  • Includes Wibu-Systems CodeMeter v6.50b and earlier

FactoryTalk Activation Manager v4.00.02 and earlier

  • Includes FlexNet Publisher v11.11.1.1 and earlier

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who recognize products from the following list are using FactoryTalk Activation Manager.

  • Arena®
  • Emonitor®
  • FactoryTalk® AssetCentre
  • FactoryTalk® Batch
  • FactoryTalk® EnergyMetrix™
  • FactoryTalk® eProcedure®
  • FactoryTalk® Gateway
  • FactoryTalk® Historian Site Edition (SE)
  • FactoryTalk® Historian Classic
  • FactoryTalk® Information Server
  • FactoryTalk® Metrics
  • FactoryTalk® Transaction Manager
  • FactoryTalk® VantagePoint®
  • FactoryTalk® View Machine Edition (ME)
  • FactoryTalk® View Site Edition (SE)
  • FactoryTalk® ViewPoint
  • RSFieldBus™
  • RSLinx® Classic
  • RSLogix 500®
  • RSLogix 5000®
  • RSLogix™ 5
  • RSLogix™ Emulate 5000
  • RSNetWorx™
  • RSView®32
  • SoftLogix™ 5800
  • Studio 5000 Architect®
  • Studio 5000 Logix Designer®
  • Studio 5000 View Designer®
  • Studio 5000® Logix Emulate™

VULNERABILITY DETAILS

Vulnerability #1: CodeMeter Cross-Site Scripting
A Cross-Site Scripting ("XSS") vulnerability was found in certain versions of Wibu-Systems CodeMeter that may allow local attackers to inject arbitrary web script or HTML via a specific field in a configuration file, potentially allowing the attacker to access sensitive information, or even rewrite the content of the HTML page.

CVE-2017-13754 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 2.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N0/I:L/A:N

Vulnerability #2: FlexNet Publisher Remote Code Execution
A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow.

CVE-2015-8277 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers with affected versions of CodeMeter and/or FlexNet Publisher that were installed with FactoryTalk Activation Manager are encouraged to review the table below for suggested actions that will address the risks associated with these vulnerabilities.

Currently Installed Suggested Actions
FactoryTalk Activation Manager v4.01 and earlier

Update FactoryTalk Activation Manager to V4.02 and later.

If unable to update FactoryTalk Activation Manager to V4.02, update CodeMeter to the latest version of CodeMeter that is compatible with FactoryTalk Activation Manager.

For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibilty and Download Center (PCDC) Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE: July 20, 2018
The following Snort rules can be applied to compatible IDS/IPS platforms to help mitigate the associated risk with the FlexNet Publisher vulnerability in FactoryTalk Activation:

Cisco has released Snort Rule 38246, Snort Rule 38247.
Cisco has released Snort Rule 39910.


Customers are encouraged, when possible, to combine the updates above with these general security guidelines to employ multiple strategies simultaneously.

GENERAL SECURITY GUIDELINES

  1. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  2. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  3. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
  4. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  6. Locate control system networks and devices behind firewalls and isolate them from the business network.
  7. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY


Date Version Details
20-July-2018 1.2 Added Snort Rules for FlexNet Publisher
29-May-2018 1.1 ICS-CERT Advisory Link Added
12-Apr-2018 1.0 Initial Release
Attachments

KCS Status

Released

High
PN1026 | PN1026 | RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path
Published Date:
June 07, 2018
Last Updated:
June 07, 2018
CVE IDs:
CVE-2018-10619
Products:
FactoryTalk Linx Gateway, RSLinx Classic (Single Node
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path

Description

Version 1.0 - June 07, 2018

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Rockwell Automation® received a report from Gjoko Krstic of Zero Science Lab that certain versions of RSLinx® Classic and FactoryTalk® Linx™ Gateway (previously known as FactoryTalk Gateway) are potentially susceptible to this vulnerability. RSLinx Classic is two software solutions that allow Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI). FactoryTalk Linx Gateway is software that provides an OPC UA server interface to allow the delivery of information from Rockwell Software applications to Allen-Bradley controllers.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. For previous versions of this software, a series of steps to mitigate this vulnerability have been provided. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS

RSLinx Classic, V3.90.01 and earlier
FactoryTalk Linx Gateway, V3.90.00 and earlier

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged local user to execute arbitrary code of the threat actor’s choosing on the affected workstation. This vulnerability could also potentially allow a threat actor to escalate user privileges on the affected workstation. A well-defined service path enables Windows to easily find the path to a service by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and the threat actor could drop a malicious executable once an unquoted service path is discovered.

CVE-2018-10619 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected versions of RSLinx Classic, FactoryTalk Linx and/or FactoryTalk Gateway OPC are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family
Catalog Numbers
Suggested Actions
RSLinx Classic
9355-WABx
Update to v4.00.01 or later (Download)
FactoryTalk Linx Gateway
9355-LNXGWxxxENx
9355-OPDxxxxLENx
9355-OPDxxxxENx
Update to FactoryTalk Linx Gateway v6.00.00 or later (Download)
  1. If unable to upgrade to the latest version visit Knowledgebase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and describes the process of implementing these edits.
  2. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  3. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
  4. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

GENERAL SECURITY GUIDELINES

  1. Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
  2. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
  3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  4. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  6. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
  7. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date
Version
Details
07-June-2018
1.0
Initial release.

KCS Status

Released

Medium
PN1024 | PN1024 | Arena Simulation Software Denial of Service
Published Date:
May 10, 2018
Last Updated:
May 10, 2018
Products:
Arena
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Arena Simulation Software Denial of Service

Description

Version 1.0 – May 10, 2018

Rockwell Automation received a report from Ariele Caltabiano at Zero Day Initiative regarding a potential vulnerability in certain versions of Arena® Simulation Software for Manufacturing that, if successfully exploited, can cause a crash of the software application (Denial of Service) and cause a user to potentially lose unsaved data. Arena is a simulation software that helps customers analyze business ideas, rules, and strategies before real-life implementation in their business and control systems.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and implement the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Arena Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 15.10.00 and earlier

VULNERABILITY DETAILS

If a maliciously crafted Arena file (meaning the content of the file is invalid, unexpected, and/or random) is sent to an unsuspecting victim who is tricked (via social-engineering techniques) into opening the file in Arena, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena to continue use.

Note: There are also valid reasons why a file may not open in Arena. To learn more about these circumstances, please see Article ID 1073702.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

RISK MITIGATIONS AND RECOMMENDED USER ACTIONS

Customers using the affected versions of Arena are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

  1. Customers using Arena v15.00.00 or earlier are encouraged to update Arena to v15.10.01 or later (Download).
  2. Do not open untrusted .doe files with Arena Simulation Software.
  3. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  4. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
  7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
  8. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date

Version

Details

10-May-2018

1.0

Initial release.

KCS Status

Released

Critical
PN1019 | PN1019 | Stratix 5400/5410/5700/8000 Denial of Service and Remote Code Execution Vulnerabilities
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0158, CVE-2018-0156
Products:
ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5400/5410/5700/8000 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

  • Allen-Bradley Stratix 5400 Industrial Ethernet Switches, versions 15.2(6)E0a and earlier
  • Allen-Bradley Stratix 5410 Industrial Distribution Switches, versions 15.2(6)E0a and earlier
  • Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches, versions 15.2(6)E0a and earlier
  • Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches, versions 15.2(6)E0a and earlier
  • Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments, versions 15.2(6)E0a and earlier

Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.

VULNERABILITY DETAILS

Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

  • Triggering a reload of the device
  • Allowing the attacker to execute arbitrary code on the device
  • Causing an indefinite loop on the affected device that triggers a watchdog crash

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.

CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.

CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.

CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.

CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #6: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.

CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

  1. Update the affected products per the table below:
Product Family Affected Versions Updates Available
Stratix 5400 Industrial Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E1 or later (Download)
Stratix 5410 Industrial Distribution Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E1 or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E1 or later (Download)
Stratix 8000 Modular Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E1 or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches 15.2(6)E0a and earlier Apply FRN 15.2(6)E1 or later (Download)

  1. Cisco has offered additional information and mitigations for these vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.
Vulnerability Workaround (if available) Other Notes
#1: Smart Install Remote Code Execution Vulnerability There are no workarounds that address this vulnerability.

Cisco has released Snort Rule 46096 and Snort Rule 46097.

See "Smart Install Notes" below for additional Smart Install information/recommendations.
#2: Smart Install Denial of Service Vulnerability There are no workarounds that address this vulnerability.

Cisco has released Snort Rule 41725.

See "Smart Install Notes" below for additional Smart Install information/recommendations.
#3: DHCP Version 4 Relay Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46120.
#4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46104.
#5: DHCP Version 4 Relay Reply Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46119.
#6: Internet Key Exchange Memory Leak Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46110.
#7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities There are no workarounds that address this vulnerability. N/A


Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):

  1. Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
  2. Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
  3. Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.

GENERAL SECURITY GUIDELINES

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
16-Apr-2018 1.0 Initial Release

KCS Status

Released

Critical
PN1020 | PN1020 | Stratix 5900 Denial of Service and Remote Code Execution Vulnerabilities
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0151, CVE-2018-0175, CVE-2018-0167, CVE-2018-0158
Products:
Stratix 5900 Services Router
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5900 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley® Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

  • Allen-Bradley Stratix 5900 Services Router, version 15.6.3M1 and earlier

VULNERABILITY DETAILS

Vulnerability #1: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.

CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Quality of Service Remote Code Execution Vulnerability
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.

The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code on the affected device with elevated privileges. The attacker could also leverage this vulnerability to cause the device to reload, causing a temporary DoS condition while the device is reloading.

The malicious packets must be destined to and processed by an affected device. Traffic transiting a device will not trigger the vulnerability.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos.

CVE-2018-0151 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

  1. Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.
Vulnerability Workaround (if applicable) Other Notes
#1: Internet Key Exchange Memory Leak Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46110.
#2: Quality of Service Remote Code Execution Vulnerability

Customers who do not use the Adaptive QoS for DMVPN feature can deny all traffic destined to UDP port 18999 on an affected device by using a Control Plane Policing (CoPP) policy similar to the following:

  • ACL for CoPP Undesirable UDP class-map access-list 199 permit udp any any eq 18999
  • CoPP Undesirable UDP class-map class-map match-all undesirable-udp match access-group 199
  • Undesirable UDP Policy Map policy-map drop-udp class undesirable-udp drop
  • Apply Undesirable UDP policy Map control-plane service-policy input drop-udp

If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.

 Cisco has released Snort Rule 46111.
#3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities There are no workarounds that address these vulnerabilities. N/A

GENERAL SECURITY GUIDELINES

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
16-Apr-2018 1.0 Initial Release

KCS Status

Released

Critical
PN1021 | PN1021 | Stratix 8300 Denial of Service and Remote Code Execution Vulnerabilities
Published Date:
April 16, 2018
Last Updated:
April 16, 2018
CVE IDs:
CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0155, CVE-2018-0156
Products:
Stratix 8300 L3 Modular Managed Switch
CVSS Scores:
8.8, 9.8, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 8300 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

  • Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches, versions 15.2(4a)EA5 and earlier

VULNERABILITY DETAILS

Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

  • Triggering a reload of the device
  • Allowing the attacker to execute arbitrary code on the device
  • Causing an indefinite loop on the affected device that triggers a watchdog crash

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.

CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Bidirectional Forwarding Detection Denial of Service Vulnerability
A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition.

The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an affected switch. A successful exploit could allow the attacker to trigger a reload of the system.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd.

CVE-2018-0155 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.

CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.

CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #6: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.

CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

  1. Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.
Vulnerability Workaround (if available) Other Notes
#1: Smart Install Remote Code Execution Vulnerability There are no workarounds that address this vulnerability.

Cisco has released Snort Rule 46096 and Snort Rule 46097.

See "Smart Install Notes" below for additional Smart Install information/recommendations.
#2: Smart Install Denial of Service Vulnerability There are no workarounds that address this vulnerability.

Cisco has released Snort Rule 41725.

See "Smart Install Notes" below for additional Smart Install information/recommendations.
#3: Bidirectional Forwarding Detection (BFD) Denial of Service Vulnerability There are no workarounds that address this vulnerability.

Administrators who do not use the BFD feature in their environments can disable the BFD feature by using the feature bfd disable command in global configuration mode to prevent exploitation of this vulnerability.

Administrators who do use the BFD feature can implement Control Plane Policing (CoPP) to allow processing of BFD packets from known BFD peers only and drop all other BFD traffic to limit exposure.
#4: DHCP Version 4 Relay Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46120.
#5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46104.
#6: DHCP Version 4 Relay Reply Denial of Service Vulnerability There are no workarounds that address this vulnerability. Cisco has released Snort Rule 46119.
#7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities There are no workarounds that address this vulnerability. N/A


Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):

  1. Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
  2. Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
  3. Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.

GENERAL SECURITY GUIDELINES

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
16-Apr-2018 1.0 Initial Release

KCS Status

Released

High
PN1015 | PN1015 | MicroLogix Controller Vulnerabilities
Published Date:
March 28, 2018
Last Updated:
March 28, 2018
CVE IDs:
CVE-2017-12093, CVE-2017-14471, CVE-2017-14467, CVE-2017-14472, CVE-2017-14473, CVE-2017-14462, CVE-2017-14468, CVE-2017-14463, CVE-2017-14466, CVE-2017-12092, CVE-2017-12090, CVE-2017-14465, CVE-2017-14470, CVE-2017-12089, CVE-2017-14469, CVE-2017-12088, CVE-2017-14464
Products:
MicroLogix 1401
CVSS Scores:
3.7, 6.8, 6.3, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix Controller Vulnerabilities

Description

Version 1.0 - March 28, 2018

Jared Rittle and Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group contacted Rockwell Automation with a report detailing several vulnerabilities in the MicroLogix 1400™ controller family that, if successfully exploited, can have impacts ranging from Denial of Service to potential information disclosure.

Rockwell Automation has evaluated the contents of the researcher’s report and produced this disclosure, which provides details relating to these vulnerabilities and recommended countermeasures.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Product Catalog Numbers Affected Versions
MicroLogix 1400 1766-Lxxx FRN 21.003 and earlier
MicroLogix 1100 1763-Lxxx FRN 16.00 and earlier


VULNERABILITY DETAILS

The report from Cisco Talos contained six potential vulnerabilities. Rockwell Automation evaluated all six reported issues and provided fixes and/or mitigations after confirming the first five vulnerabilities. The sixth reported issue is listed below, however, Rockwell Automation has determined that this feature works as intended. Additional details are provided below.

Vulnerability #1: Denial of Service via Ethernet Functionality
A remote, unauthenticated attacker could potentially send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and potentially deleting ladder logic.

CVE-2017-12088 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Denial of Service via Download Functionality
A remote, unauthenticated attacker could send a specially crafted packet to the controller during the standard download process. Without the proper packet to indicate download completion, the controller freezes in the download state for one minute before entering the fault state.

CVE-2017-12089 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Denial of Service - SNMP-set request
A specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.

CVE-2017-12090 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: Access Control Vulnerabilities
A remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations that could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.

Potential implications as a result of the vulnerability are listed below; each situation was reported to us by Cisco Talos and has been addressed by Rockwell Automation.

Item # Summary of Situation CVE-2017-XXXX
4a Modification of Communication Protocols and Network Configuration CVE-2017-14462
4b Overwriting the PLC Ladder Logic CVE-2017-14463
4c Memory Module mismatch Fault CVE-2017-14464
4d Forcing PLC I/O CVE-2017-14465
4e Writing and Clearing Master Password (See **) CVE-2017-14466
4f Perform online edits to ladder logic CVE-2017-14467
4g Trigger the PLC to load program from Electrically Erasable Programmable Read-Only Memory (EEPROM) CVE-2017-14468
4h Setting an invalid value for the user fault routine CVE-2017-14469
4i Setting float elements to invalid values CVE-2017-14470
4j Setting fault bits in specific function files to cause a Denial of Service CVE-2017-14471
4k Reading Master Password (See **) CVE-2017-14472
4l Reading Master Ladder Logic CVE-2017-14473

** Master Password not supported when using RSLogix 500 v11 and later with a MicroLogix 1400 controller flashed to FRN 21.002 or later.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned overall. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #5: File-Write vulnerability in Memory Module
A memory module installed in a MicroLogix controller that allows a user to instruct the controller to write its program to the module without authentication. The memory module is a back-up, but can also be used to load programs once an error occurs, and has the ability to load the program every time the device powers on.

CVE-2017-12092 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 3.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Reported Issue #6: Malicious Register Session Packets lead to Communication Loss
The MicroLogix 1400 controller supports ten active sessions at a time. The issue describes a scenario where a malicious user sends their own Register Session packets in order create their own connection to the controller, preventing valid users from accessing the PLC. However, when there are ten existing connections to the controller and another Register Session packet is sent, the oldest connection will be disconnected. The user whose online session has been disconnected receives the normal communication loss alert, upon which they can choose to reconnect.

CVE-2017-12093 has been assigned to this vulnerability by Cisco Talos. While evaluating this issue as a potential vulnerability, Cisco Talos assigned a CVSS v3.0 score of 5.3/10. For details, please follow the link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATION and RECOMMENDED USER ACTIONS

Customers using the affected controllers are strongly encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

  1. Update the affected products per the table below:
Vulnerability Product Family Catalog Number Hardware Series Suggested Actions
#1: DoS via Ethernet Functionality MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#2: DoS via Download Functionality MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#3: DoS via SNMP-set request MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Vulnerability Not Applicable: MicroLogix 1100 does not support SNMP
#4a: Modification of Communication Protocol / Network Configuration MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4b: Overwriting Large Ladder Logic MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4c: Memory Module Mismatch MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4d: Forcing PLC I/O MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4e: Writing and Clearing Master Password MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.002 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4f: Perform online edits to ladder logic MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4g: Tigger PLC program load from EEPROM MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4h: Setting an invalid value to fault routine MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1400 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4i: Setting float elements to invalid values MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4j: Setting fault bits in function file causes DoS MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#4k: Reading Master Password MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.002 or later
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#4l: Reading Master Ladder Logic MicroLogix 1400 1766-Lxxx Series B or C
  • Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Migrate to MicroLogix 1400 Series B or C
  • See NOTE for migration information
#5: File-Write in Memory Module MicroLogix 1400 1766-Lxxx Series B or C
  • Set keyswitch to Hard Run to block any unauthorized changes
  • Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
MicroLogix 1400 1766-Lxxx Series A
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
MicroLogix 1100 1763-Lxxx All Series
  • Set keyswitch to Hard Run to block any unauthorized changes
  • See NOTE for migration information
#6: Communications Loss MicroLogix 1400 1766-Lxxx Series B or C
  • Functions as intended
MicroLogix 1400 1766-Lxxx Series A
  • Functions as intended
MicroLogix 1100 1763-Lxxx All Series
  • Functions as intended


Note: In addition, customers using affected versions of MicroLogix 1100 or MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line.

  1. Cisco Talos has created the following Snort rules (SIDs): 44424, 44425, 44426, 44427, 44428, and 44429 to detect exploits utilizing these vulnerabilities, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are not in the standard curated rule sets and must be enabled manually.
  2. If not using external communications, block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
  3. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.

GENERAL SECURITY GUIDELINES

  1. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  3. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
28-Mar-2018 1.0 Initial Release

KCS Status

Released

High
PN1010 | PN1010 | MicroLogix 1400 Modbus TCP Buffer Overflow Denial of Service
Published Date:
December 22, 2017
Last Updated:
December 22, 2017
Products:
MicroLogix 1400
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1400 Modbus TCP Buffer Overflow Denial of Service

Description

Version 1.0 -December 22, 2017

Thiago Alves, from the Center for Cybersecurity Researcher and Education at the University of Alabama, Huntsville contacted Rockwell Automation with a report detailing a potential vulnerability in the MicroLogix™ controller family that, if successfully exploited, could cause the controller to become unresponsive to Modbus TCP communications, and could potentially cause the controller to fault. Rockwell Automation has determined that several versions of the MicroLogix™ 1400 controller are affected by this vulnerability.

MicroLogix™ is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture; Critical Infrastructure; as well as Water and Wastewater Systems.

Customers using affected versions of this device are encouraged to evaluate the details of the vulnerability below as it applies to their specific device implementation, as well as to implement any applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers, Series B and C
Versions 21.002 and earlier

This includes the following catalogs:

  • 1766-L32AWA
  • 1766-L32AWAA
  • 1766-L32BWA
  • 1766-L32BWAA
  • 1766-L32BXB
  • 1766-L32BXBA

VULNERABILITY DETAILS

A remote, unauthenticated attacker could send especially crafted Modbus TCP packets to the affected device in order to exploit a buffer overflow condition. The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED ACTIONS

Customers using affected versions of the MicroLogix™ 1400 PLCs are encouraged to update to the newest available firmware versions that address associated risks and include added improvements to further help harden the device and enhance its resilience against similar malicious attacks.

  1. Update supported products based on this table:
Product Family Catalog Numbers Hardware Series Suggested Actions
MicroLogix 1400 1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA
 Series B or C

- Apply FRN 21.003 (Downloads)

- Apply the any additional mitigations below.

  1. All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix™ 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

GENERAL SECURITY GUIDELINES

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  2. Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
  3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
22-Dec-2017 1.0 Initial Release

KCS Status

Released

High
PN1000 | PN1000 | FactoryTalk Alarms and Events Historian Denial of Service
Published Date:
December 07, 2017
Last Updated:
December 07, 2017
CVE IDs:
CVE-2017-14022
Products:
FactoryTalk Services Platform, FactoryTalk View SE, Logix Designer
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Alarms and Events Historian Denial of Service

Description

Version 1.1 - December 7, 2017
Version 1.0 - November 1, 2017

A vulnerability exists in FactoryTalk® Alarms and Events (FTAE) that, if successfully exploited, can cause a Denial of Service condition to the historian service within FTAE. FactoryTalk Alarms and Events is used to provide a common, consistent view of alarms and events through a FactoryTalk View SE HMI system and is used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

FactoryTalk Alarms and Events v2.90 and earlier.

Factory Talk Alarms & Events is a component of the FactoryTalk Services platform. Customers using FTAE-based alarms in FactoryTalk View SE or Logix-based alarms in ControlLogix / CompactLogix processors will be impacted. FactoryTalk Alarms & Events is installed by several products:

  • FactoryTalk Services (RSLinx® Enterprise), all versions
  • FactoryTalk View SE, version 5.00 and later
  • Studio 5000 Logix Designer®, version 24 and later

Affected customers may consult the Risk Mitigation section of this advisory for information on how to address the issue.

VULNERABILITY DETAILS

An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets to port TCP/403 (the history archiver service), causing the service to either stall or terminate.

The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation.

CVE-2017-14022 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected software are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.


  1. Product Family Version In Use Suggested Actions
    Factory Talk Alarms and Events V2.90

    - Implement the V2.90 patch (instructions)

    - Disable TCP port 403. See item #2 below for details.
    Factory Talk Alarms and Events V2.81 and earlier

    - Update to FTAE V2.90 from PCDC (instructions) then implement the V2.90 patch (instructions)

    - Disable TCP port 403. See item #2 below for details.

  2. FactoryTalk Alarm and Event history is logged using the Rockwell Alarm Historian service using port 403, and writes alarms and events to the user-configured SQL Server database. If the Rockwell Automation Alarm Historian service is on the same machine as the Rockwell Alarm Event service, then port 403 can be blocked remotely as the historical information is being logged to the local host rather than a remote host. Any other machine in the system that does not have the Rockwell Alarm Historian service on the same machine as the Rockwell Alarm Event service will require access to port 403.

    Note: FactoryTalk View SE clients using the Alarm and Event Log Viewer to view FactoryTalk Alarm and Event history do not require port 403 and can thus be blocked.

GENERAL SECURITY GUIDELINES

  1. Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270
  2. Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
  3. Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
  4. Locate control system networks and devices behind firewalls, and isolate them from the enterprise network
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
07-December 2017 1.1 Updated with CVE #
01-November 2017 1.0 Initial Release

KCS Status

Released

Medium
PN1003 | PN1003 | Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper
Published Date:
November 06, 2017
Last Updated:
November 06, 2017
CVE IDs:
CVE-2017-13082
Products:
Stratix 5100 WAP/Workgroup Bridge
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper

Description

Version 1.1 - November 6, 2017
Version 1.0 - October 23, 2017

On October 16, 2017, Mathy Vanhoef of the University of Leuven released a research paper detailing several vulnerabilities in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) protocols. Rockwell Automation, along with Cisco Systems, Inc. ("Cisco"), have determined that all versions of the Allen-Bradley® Stratix® 5100 Wireless Access Point/Workgroup Bridge ("Stratix 5100 WAP/WGB") are affected by one of these ten vulnerabilities when the device has been configured with a specific non-default configuration. This vulnerability can be exploited by a Key Reinstallation Attack (KRACK), in which a malicious actor tricks the victim into reinstalling a key that is already in-use. A successful attack may allow the attacker to operate as a "man-in-the-middle" between the device and the wireless network. This could then be leveraged to manipulate the data stream, remove TLS/SSL and/or grab credentials and confidential information in transmission.

The Stratix 5100 wireless access point provides an 802.11 compliant Wi-Fi implementation that wirelessly connects client devices to an Ethernet based network. The vulnerabilities are solely exploitable in close proximity to a device that is actively joining to a previously joined wireless network.

Customers using this device are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.

AFFECTED PRODUCTS

Stratix 5100 Wireless Access Point/ Workgroup Bridge
Version 15.3(3)JC1 and earlier

This includes the following catalogs:

  • 1783-WAPAK9
  • 1783-WAPBK9
  • 1783-WAPCK9
  • 1783-WAPEK9
  • 1783-WAPNK9
  • 1783-WAPTK9
  • 1783-WAPZK9

VULNERABILITY DETAILS

Key Reinstallation Attacks ("KRACK") work against the four-way handshake of the WPA2 protocol. KRACK takes advantage of the retransmission of a handshake message to prompt the installation of the same encryption key every time it receives message 3 from the Access Point ("AP"). Retransmission of the handshake message from the AP occurs if a proper client acknowledgement is not received to the initial message; retransmission resets the nonce value and replay counter to their initial values. A malicious actor could force these nonce resets by replaying the appropriate handshake message, which could allow for injection and decryption of arbitrary packets, hijacking of TCP connections, injection of HTTP content, or replaying of unicast or multicast data frames on the targeted device.

CVE-2017-13082 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.9/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

The original public security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

The report by US-CERT is available at the following link: https://www.kb.cert.org/vuls/id/228519

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation recommends that all customers patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting your vendor to get the most updated patch that is compatible with your client devices. However, patching the client only protects the connection formed by that specific client. In order to protect all future clients that may be added to your system, Rockwell Automation recommends patching the Stratix 5100 WAP/WGB when the firmware is available.

UPDATE: NOVEMBER 6, 2017
After further investigation, Rockwell Automation has determined that since the vulnerability affects Stratix 5100 access points with 802.11r enabled, and 802.11r is not fully supported on the Stratix 5100 WAP/WGB, that access-point users are not affected by this vulnerability, and patching the Stratix 5100 WAP/WGB is not required when the device is operating as an access point. To verify that 802.11r is disabled in your device, please refer to this Knowledgebase Article ID 1068007. It is still suggested that users refer to manufacturers of their connected wireless client devices for suggested patch procedures.

Alternatively, a workaround exists for CVE-2017-13082. If you are using a Stratix 5100 in Access Point ("AP") mode (and not in Workgroup Bridge mode ("WGB") and you have enabled 802.11r fast roaming, it is recommended that the 802.11r fast roaming function should be disabled. In order to disable 802.11r, do one of the following:

  • Open the Command Line Interface (CLI) and issue the following commands with administrative privileges:

Command

Purpose

configure terminal

Enters Global Configuration Mode

interface Dot11Radio0

Enters Radio0 (2.4GHz) Configuration

no dot11 dot11r

Executes command to disable 802.11r

Interface Dot11Radio1

Enters Radio1 (5GHz) Configuration

no dot11 dot11r

Executes command to disable 802.11r

end

Exits to privileged EXEC mode

write

Writes configuration to Non-volatile memory


  • In the web interface, Navigate to the "Network" tab, select "Network Interface", then "Radio0-802.11n 2G.hz", "Settings", and verify the disable radio button next to "11r Configuration" is selected. Repeat these steps with "Radio0-802.11n 5G.hz"

NOTE: Disabling 802.11r could have a negative impact on the performance and availability of a customer’s system. Customers are encouraged to evaluate the impact to specific environments before performing this workaround

GENERAL SECURITY GUIDELINES

  1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
  2. Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
  4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
06-Nov-2017 1.1 Update about affected feature.
23-Oct-2017 1.0 Initial release.

KCS Status

Released

Critical
PN962 | PN962 | Stratix CMP Remote Code Execution Vulnerability
Published Date:
November 02, 2017
Last Updated:
November 02, 2017
CVE IDs:
CVE-2017-3881
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 5400 Industrial Ethernet Switch, ArmorStratix 5700 Managed Switch
CVSS Scores:
9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix CMP Remote Code Execution Vulnerability

Description

Version 1.1 - November 2, 2017
Version 1.0 - March 23, 2017

Cisco Systems, Inc. ("Cisco") has reported that a vulnerability exists in the Cisco Cluster Management Protocol ("CMP") processing code in the Cisco IOS and Cisco IOS XE software. Allen-Bradley® Stratix® and ArmorStratix™ products contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet and/or Distribution switches for real-time control and information sharing on a common network infrastructure.

This vulnerability is remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

All Versions 15.2(5)EA.fc4 and earlier

  • Allen-Bradley Stratix 5400 Industrial Ethernet Switches
  • Allen-Bradley Stratix 5410 Industrial Distribution Switches
  • Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
  • Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4a)EA5 and earlier

  • Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches

VULNERABILITY DETAILS

The Cluster Management Protocol uses Telnet to internally signal and send commands. A remote, unauthorized attacker could send malformed CMP-specific Telnet messages to try and establish a Telnet session with one of the affected products. Incorrect processing of these messages can cause the device to reload, or, in certain cases, allow the attacker to execute arbitrary code with elevated privileges on the device. If a customer has Telnet disabled, the attack vector is eliminated. Currently, no publicly available exploit code exists for this vulnerability.

The original product security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

CVE-2017-3881 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

UPDATE: NOVEMBER 02, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Rockwell Automation recommends customers using affected products to consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk.

Product Family Catalog Numbers Affected Version Suggested Actions
Stratix 8300 1783-RMS 15.2(4)EA and earlier - See Risk Mitigations below
Stratix 8000 1783-MS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5400 1783-HMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5410 1783-IMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5700 1783-BMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
ArmorStratix 5700 1783-ZMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
  1. Disabling the Telnet protocol as an allowed protocol for incoming connections on affected devices diminishes the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270.
  2. If a customer is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.
  3. Cisco Talos, Cisco’s threat intelligence organization, has created two Snort rules (SIDs): 41909 and 41910 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.

GENERAL SECURITY GUIDELINES

  1. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  2. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  3. Utilize proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance, which comprises Intrusion Prevention and Detection (IDS/IPS) services, and Deep Packet Inspection (DPI) of the Common Industrial Protocol (CIP), Rockwell Automation can now offer customers an intrusion detection system to provide visibility, in real-time, if a vulnerability is being exploited. The Stratix 5950 contains a rules engine called FirePOWER which can process rules created by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged (IDS) or blocked (IPS).

For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https:rockwellautomation.custhelp.comapp/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
02-NOVEMBER-2017 1.1 Patched FW Release
24-MARCH-2017 1.0 Initial Release

KCS Status

Released

High
PN991 | PN991 | Stratix SNMP Packet Remote Code Execution Vulnerabilities
Published Date:
November 02, 2017
Last Updated:
November 02, 2017
CVE IDs:
CVE-2017-6741, CVE-2017-6744, CVE-2017-6743, CVE-2017-6740, CVE-2017-6738, CVE-2017-6737, CVE-2017-6742, CVE-2017-6739, CVE-2017-6736
Products:
Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5900 Services Router, Stratix 5410 Ind Distribution Switch
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix SNMP Packet Remote Code Execution Vulnerabilities

Description

Version 1.1 - November 2, 2017
Version 1.0 - July 27, 2017

Cisco Systems, Inc. ("Cisco") has reported that multiple vulnerabilities exist in the Simple Network Management Protocol ("SNMP") subsystem of Cisco IOS and IOS XE software that, if successfully exploited, can allow an authenticated, remote attacker to execute code on an affected device or cause an affected device to crash and reload. Allen-Bradley® Stratix® and ArmorStratix™ Industrial Ethernet switch products and the Stratix 5900 Services Router contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet switches for real-time control and information sharing on a common network infrastructure.

According to Cisco, these vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

UPDATE: NOVEMBER 2, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

For support on how to determine which version of Stratix firmware is on your device, please see Knowledgebase Article ID 55484.

All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 5400 Industrial Ethernet Switches
• Allen-Bradley Stratix 5410 Industrial Distribution Switches
• Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
• Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4)EA and earlier
• Stratix 8300 Modular Managed Ethernet Switches

All Versions 15.6(3)M1 and earlier
• Allen-Bradley Stratix 5900 Services Router

VULNERABILITY DETAILS

Multiple vulnerabilities exist in the SNMP subsystem of Cisco IOS and IOS XE software that could allow an authenticated, remote attacker to execute code on an affected system or cause an affected system to reload by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The vulnerabilities affect all versions of SNMP. To exploit these vulnerabilities via SNMP version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities in SNMP version 3, the attacker must authenticate their identity with user credentials for the affected system.

CVE ID #

Headline
linked to Cisco Advisory

 CVSS v3 Score and Vector String **
** for a better understanding of how this score was generated, please follow the link to first.org
CVE-2017-6736 SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2017-6737
CVE-2017-6738
CVE-2017-6739
CVE-2017-6740
CVE-2017-6741
CVE-2017-6742
CVE-2017-6743
CVE-2017-6744

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation will update this advisory as new versions of firmware are released that remediate this vulnerability. Until then, Rockwell Automation recommends that customers using affected products consult the suggestions below and employ multiple strategies to mitigate their risk when possible.

Product Family Catalog Numbers Affected Versions Suggested Actions
Stratix 8300 1783-RMS 15.2(4)EA and earlier - Update to v15.2(4a)EA5 or later (Download)
Stratix 5900 1783-SRKIT V15.6.3 and earlier - See Risk Mitigations below
Stratix 8000 1783-MS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5400 1783-HMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5410 1783-IMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
Stratix 5700 1783-BMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
ArmorStratix 5700 1783-ZMS 15.2(5)EA.fc4 and earlier - Update to 15.2(6)E0a or later (Download)
- In addition, see Risk Mitigations below
  1. Disable the following Management Information Bases (MIBs) on a device, if they are installed/active on your Stratix device:
    Stratix 8000, 8300, 5700, 5400, 5410
    CISCO-MAC-AUTH-BYPASS-MIB
    Stratix 5900
    ADSL-LINE-MIB
    CISCO-ADSL-DMT-LINE-MIB
    CISCO-BSTUN-MIB
    CISCO-MAC-AUTH-BYPASS-MIB
    CISCO-VOICE-DNIS-MIB

    Details on how to use the Command Line Interface to disable or limit access to SNMP or individual MIBs can be found at Knowledgebase Article ID 1055391.
    Note: Your Stratix device may not have all of the MIBs installed/active.
  2. If SNMP is required, use strong SNMP v3 credentials since this attack requires authentication.
  3. Cisco Talos, Cisco’s threat intelligence organization, has created the following Snort rules (SIDs): 43424, 43425, 43426, 43427, 43428, 43429, 43430, 43431, 43432 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
  4. Use proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. Firewalls will not block requests from compromised, but authorized sources.

GENERAL SECURITY GUIDELINES

  1. If available, use product-specific features, such as a keyswitch setting, to block unauthorized changes, etc. Consult the product documentation for the availability and usage of these features.
  2. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
  3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  4. Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
  5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date Version Details
02-Nov-2017 1.1 Updated Firmware Available
27-Jul-2017 1.0 Initial Release

KCS Status

Released

High
PN958 | PN958 | FactoryTalk Activation Unquoted Service Path Privilege Escalation
Published Date:
August 24, 2017
Last Updated:
August 24, 2017
Products:
FactoryTalk Activation
CVSS Scores:
8.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Activation Unquoted Service Path Privilege Escalation

Description

Version 1.2 - August 24, 2017
Version 1.1 - March 21, 2017
Version 1.0 - February 16, 2017

Update: March 21, 2017
A complete list of the software products that distribute versions of FactoryTalk® Activation Manager has been identified and listed under the affected products below. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet.

In those instances where customers using one of the listed software products are unable to update to the latest version of FactoryTalk Activation, please refer to the KnowledgeBase Article ID 939382 to verify and patch any unquoted service paths in a specific system.

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker’s choosing.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. Rockwell Automation has also provided a series of steps to allow customers to mitigate this vulnerability in previously downloaded versions. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS
FactoryTalk Activation Service v4.00.02 and earlier

Update: March 21, 2017
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. All versions prior to, and including, v4.00.02 of the FactoryTalk Activation Service are affected. In other words, customers who recognize products from the following list are using FactoryTalk Activation Manager, and they may consult the Risk Mitigation section of this advisory for information on how to verify that their systems are affected and how to manually address this vulnerability.

  • Arena®
  • Emonitor®
  • FactoryTalk® AssetCentre
  • FactoryTalk® Batch
  • FactoryTalk® EnergyMetrix™
  • FactoryTalk® eProcedure®
  • FactoryTalk® Gateway
  • FactoryTalk® Historian Site Edition (SE)
  • FactoryTalk® Historian Classic
  • FactoryTalk® Information Server
  • FactoryTalk® Metrics
  • FactoryTalk® Transaction Manager
  • FactoryTalk® VantagePoint®
  • FactoryTalk® View Machine Edition (ME)
  • FactoryTalk® View Site Edition (SE)
  • FactoryTalk® ViewPoint
  • RSFieldBus™
  • RSLinx® Classic
  • RSLogix 500®
  • RSLogix 5000®
  • RSLogix™ 5
  • RSLogix™ Emulate 5000
  • RSNetWorx™
  • RSView®32
  • SoftLogix™ 5800
  • Studio 5000 Architect®
  • Studio 5000 Logix Designer®
  • Studio 5000 View Designer®
  • Studio 5000® Logix Emulate™

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged, local user to execute arbitrary code with elevated privileges on the system. A well-defined service path enables Windows to easily find the path to a service; this is accomplished by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and an attacker could drop a malicious executable if the service path is discovered.

This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path. When the Windows Service Manager starts the service, it will attempt to launch the implanted executable rather than the intended and authentic executable.

A CVSS v3 base score of 8.8 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation. To download v4.01 or later, go to this link for PCDC (Product Compatibility & Download Center) and select "Select Files" icon for all Free Downloads. Select latest FactoryTalk Activation from the list of downloads.

Update: August 24, 2017
Customers can consult the Product Compatibility and Download Center Standard Views>Software Latest Versions>FactoryTalk Activation for details about the latest FactoryTalk Activation Manager.

Note: When centralizing FactoryTalk Activation Manager (FTAM) to a single server host, it is important to ensure that the centralized Activation server is running a version of FactoryTalk Activation Manager equal to, or greater than, the latest version of client FTAM on your network. It is important to update the central activation servers before client activation servers. For details visit Knowledgebase Article 612825 Managing Remote FactoryTalk Activation Manager Servers.

If unable to upgrade to the latest version visit KnowledgeBase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and walks through the process of doing such edits.

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

  1. Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
  2. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
  3. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  4. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  5. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  6. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
  7. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.


Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

Product Security Vulnerability FAQ

REVISION HISTORY

Date Version Details
16-FEB-2017 1.0 Initial release
21-MAR-2017 1.1 FTA Concurrent Distribution List
24-AUG-2017 1.2

Compatibility Information

KCS Status

Released

PN1493 | PN1493 | Rockwell Automation Recommended Mitigations for the “Petya” Malware
Published Date:
June 30, 2017
Last Updated:
June 30, 2017
Products:
Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, PanelView Plus 6 Compact, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, 6186M Performance Monitor, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, 6176M Standard Monitor, Business Objects, 2711T MobileView Tethered, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, PanelView 800, DataDisc, RSLogix 5, Operator Certification, Live Transfer, MaterialTrack, ThinManager, 2711T MobileView Accessories, 6181 Computers, 1450R Non-Display Computers, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, 2711P PanelView Plus 7 Performance, Installation, RSLogix Emulate 500, Knowledge Documentation, PBase, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, PanelView Component, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, ERP Integration Gateway, General Computer, PLC2A and T3, Activities, ETL, Historical Transfer, ECO, Documentation, RSWorkbench, RSTestStand, RS PMX CTM, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, DataSite Workbench, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, 2711P PanelView Plus 6 Logic Modules, Administration, 6155 Compact Computers, Production Execution Client, PanelView 5000, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), 6181X Hazardous Integrated Display, PMX, WINtelligent HMI, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, 2711P PanelView Plus 7 Standard, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), Reports (Out-of-box), PlantMetrics, PCO Software (6723), API, FactoryTalk Batch, AI-100/150, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, WINtelligent Trend, Process Designer, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, 2711P PanelView Plus 6 400-1500, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
Version 1.1 - June 29, 2017
Revision History
 Date  Version  Details
 29-Jun-2017  1.1  Title update
 28-Jun-2017  1.0  Initial release
 30-Jun-2017  1.2  Clarified port information with respect to FT Software products

Introduction

On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. NotPetya is a Petya-inspired malware variant and behaves in a manner similar to how the “WannaCry” malware that surfaced in May 2017 did, specifically in that it is a self-propagating "worm" that infects any vulnerable host that has not patched the Windows SMBv1 vulnerability. Microsoft patched this vulnerability, named “MS17-010,” in March 2017.

However, it is worth noting that this malware has some key differences from WannaCry, including how it propagates to other machines and how it attacks the victim’s PC.

As of this writing, there is no known direct impact to Rockwell Automation products from this malware, though all files present on a machine (including files used by Rockwell Automation products) may be encrypted in the event of a successful attack. However, customers who use Rockwell Automation software products may be vulnerable to this attack since most of the Rockwell Automation software products run on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows may be vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft’s MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

  • Windows XP
  • Windows 7
  • Windows 8
  • Windows 10
  • Windows Server 2003
  • Windows Server 2008 R1/R2
  • Windows Server 2012
  • Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

Note: At the time of this writing, and according to Microsoft, no versions of Windows CE are affected.

Vulnerability Details

This malware is similar in many ways to the WannaCry malware that surfaced in May 2017, but it also includes different methods for the encryption of files and propagation across the network to infect new machines. Reports suggest that if the Petya malware has administrative privileges, it does not encrypt files individually through a whitelist approach, but instead will encrypt the entire filesystem, rendering the machine completely in-accessible. Industrial control system (“ICS”) specific files, which may not have been specifically included in past whitelists, will now also be encrypted along with any other file on the filesystem.

The initial Petya infection comes from opening an infected file, attached to an email. Once a machine on a victim’s network is infected, Petya utilizes multiple mechanisms to propagate through the victim’s network without any type of user interaction, such as is common with the following social engineering-based attacks:

-     EternalBlue, the same SMB exploit which allowed WannaCry to propagate.
-     Microsoft Windows Management Instrumentation (WMI), using the user’s credentials.
-     Microsoft PSexec tool, using the user’s credentials.

Risk Mitigation & User Action

The risk from EternalBlue can be mitigated by applying updates from MS17-010. The other two attack vectors can be mitigated through blocking ports utilized by those protocols.

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the potential risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

The Rockwell Automation Microsoft Patch Qualification team has qualified versions of our products on Windows 7 and Windows Server 2008 R2 with MS17-010 installed. For detailed information on versions tested, visit the Rockwell Automation Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

  1. For any supported operating systems, use the “Windows Update” feature to download and apply updates
  2. For unsupported operating systems, download English language security updates directly, these patches could be loaded onto existing Windows Server Update Services (WSUS) servers to ease large-scale deployments:
    o Windows Server 2003 SP2 x64
    o Windows Server 2003 SP2 x86
    o Windows XP SP2 x64
    o Windows XP SP3 x86
    o Windows XP Embedded SP3 x86
    o Windows 8 x86
    o Windows 8 x64
  3. For non-English unsupported operating systems, download localized versions for  Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  4. Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
    o     Note: This may prevent file shares from working in some instances.
  5. If possible, restrict SMB and WMI traffic from untrusted enterprise networks (with internet connectivity) outside the IDMZ.
    o     SMB and WMI utilize ports TCP/135, TCP/139, TCP/445, and TCP/1024-1035.
    o Note: Some FactoryTalk software products require port TCP/135 in order to function properly. Consult Knowledgebase Article 898270 for information on port usage by Rockwell Automation products.
  6. Establish and execute a proper backup and disaster recovery plan for your organization's assets.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

However, the Rockwell Automation Microsoft Patch Qualification team has NOT qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End of Life.  We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

  1. Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
  2. Use of Microsoft AppLocker® or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
  3. Run all software as User, not as Administrator.
  4. Use trusted software and software patches that are obtained only from highly reputable sources.
  5. Employ training and awareness programs to educate users on the warning signs of
    a phishing or social engineering attack.
  6. Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
  7. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  8. When remote access is required, use secure methods, such as Virtual Private Networks (“VPNs”), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Attachments
Migration Attachment

PN1492 | PN1492 | Rockwell Automation Recommended Mitigations For “WannaCry” Ransomware
Published Date:
May 18, 2017
Last Updated:
May 18, 2017
Products:
Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, 6181 Computers, 1450R Non-Display Computers, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, PBase, Knowledge Documentation, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, RSPowerTools, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, PID Logistics 500, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, Historical Transfer, ECO, ERP Integration Gateway, RS PMX CTM, RSTestStand, RSWorkbench, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, Administration, 6155 Compact Computers, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, 6181X Hazardous Integrated Display, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, FactoryTalk Batch, PCO Software (6723), Reports (Out-of-box), FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision History

Version 1.1 - May 18, 2017

Introduction

On May 10, 2017, a new ransomware attack called "WannaCry" (also known as "WannaCrypt"), began affecting Microsoft Windows personal computers ("PCs") around the world. The ransomware is a self-propagating "worm" that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named "MS17-010", which is included in the monthly Microsoft roll-ups: "MS17-006".

Unlike previous ransomware variants that require social engineering ("phishing"), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.

As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically, the user must pay a ransom (in some form of untraceable currency), and must do so before the deadline expires and the decryption key is destroyed.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft's MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

  • Windows XP
  • Windows 7
  • Windows 8
  • Windows 10
  • Windows Server 2003
  • Windows Server 2008 R1/R2
  • Windows Server 2012
  • Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

At the time of this writing, and according to Microsoft, no versions of Windows CE are affected by these vulnerabilities."

Vulnerability Details

According to Microsoft's MS17-010 Security Bulletin:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Risk Mitigation & User Action

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 8.1, Windows 7 SP1, and Windows Server 2008 R2 SP1.  For detailed information on versions tested, visit the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

1.) For any supported operating systems, utilize the "Windows Update" feature to download and apply updates.

2.) For unsupported operating systems, download English language security updates directly:

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86

Windows 8 x64

3.) For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

4.) Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Note: This will prevent file shares from working in some instances.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

1.) Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.

2.) Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

3.) Run all software as User, not as Administrator.

4.) Use trusted software and software patches that are obtained only from highly reputable sources.

5.) Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

6.) Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.

7.) Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

8.) When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Attachments

Critical
PN946 | PN946 | Stratix® Denial of Service Vulnerabilities
Published Date:
April 26, 2017
Last Updated:
April 26, 2017
CVE IDs:
CVE-2016-6380, CVE-2016-6385, CVE-2016-6382, CVE-2016-6393
Products:
ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
9.9, 8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix® Denial of Service Vulnerabilities

Description

Version 1.1 - April 26, 2017

UPDATE: April 26, 2017 - Further investigation has confirmed that the Stratix 8300® platform is also affected by these vulnerabilities. Stratix 8300 is a family of modular managed Ethernet switches. Affected versions of Stratix 8300, including mitigations to deploy for affected customers, are provided below.

On September 28, 2016, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included ten security advisories detailing eleven vulnerabilities. Contained in these ten advisories are five vulnerabilities that impact the following Allen-Bradley Stratix® and ArmorStratix™ products:

  • 26-APR-2017 Update: Allen-Bradley® Stratix 8300® Modular Managed Ethernet Switches
  • Allen-Bradley® Stratix 5400® Industrial Ethernet Switches
  • Allen-Bradley® Stratix 5410® Industrial Distribution Switches
  • Allen-Bradley® Stratix 5700® Industrial Managed Ethernet Switches
  • Allen-Bradley® Stratix 8000® Modular Managed Ethernet Switches
  • Allen-Bradley® ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments

These discovered vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable modules if an attack is successful. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

  • 26-APR-2017 Update: Stratix 8300
    Version 15.2(4)EA and earlier
  • Stratix 5400, Stratix 5410, Stratix 5700, Stratix 8000, ArmorStratix 5700
    Version 15.2(4)EA3 and earlier

Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.

VULNERABILITY DETAILS

Vulnerability #1: AAA Authentication Fail Denial of Service
A vulnerability in the Authentication, Authorization, and Accounting (AAA) service for remote Secure Shell Host (SSH) connections to the device could allow an unauthenticated, remote attacker to cause the vulnerable device to reload.

This vulnerability is a result of an error log message that is shown when a remote SSH connection to the device fails AAA authentication. Upon failure, the remote SSH attacker receives the previously configured banner which can be used to authenticate the targeted device. A successful attack could result in a Denial of Service (DoS) condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2016-6393 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerabilities #2 and #3: Software Multicast Routing Denial of Service Vulnerabilities
Two vulnerabilities were discovered in the multicast subsystem of Cisco’s IOS and IOS XE Software, allowing for unauthenticated, remote attackers to create a DoS condition.

The first vulnerability is in the Multicast Source Discovery Protocol (MDSP) that could allow an unauthenticated, remote attacker to cause the affected device to reload. This vulnerability is due to insufficient checking of MSDP Source-Active (SA) messages received from a configured MSDP peer. If an attacker can send traffic to the Internet Protocol version 4 ("IPv4") address of an affected device, a maliciously-crafted packet would trigger the issue. A successful exploit could cause the affected device to restart.

The second vulnerability is due to insufficient checking of packets encapsulated in a Protocol Independent Multicast (PIM) register message. An attacker who is able to send Internet Protocol version 6 ("IPv6") register packets can create a malformed packet to send to a PIM rendezvous point in order to exploit this vulnerability. A successful exploit could cause the affected device to restart.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp

CVE-2016-6382 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DNS Forwarder Denial of Service and Information Corruption
A vulnerability exists in the Domain Name System ("DNS") forwarder functionality in the software that could allow an unauthenticated, remote attacker to cause the device to restart or corrupt the information existing in the device’s local DNS cache, or read part of the process memory.

The vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could utilize this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful attack could cause the device to reload, which is a DoS, or corrupt the information on the local DNS cache.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns

CVE-2016-6380 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H.

Vulnerability #5: Software Smart Install Memory Leak Denial of Service
A vulnerability in the Smart Install client feature could allow an unauthenticated, remote attacker to cause a memory leak and an eventual DoS condition on the affected device.

This vulnerability is due to incorrect handling of image list parameters. To exploit this vulnerability, an attacker could send crafted Smart Install packets to Transmission Control Protocol ("TCP") port 4786. A successful attack could cause the switch to leak memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi

CVE-2016-6385 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Currently, there is no publicly available exploit code relating to any of these vulnerabilities.

RISK MITIGATIONS

Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

  1. Update the affected products per the table below:
    Product Family Affected Versions Updates Available
    Stratix 5400 Industrial Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download)
    Stratix 5410 Industrial Distribution Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download)
    Stratix 5700 Industrial Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download)
    Stratix 8000 Modular Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download)
    ArmorStratix 5700 Industrial Managed Ethernet Switches 15.2(4)EA3 and earlier Apply FRN 15.2(5)EA.fc4 or later (Download)
    28-APR-2017 Update: Stratix 8300 Module Managed Ethernet Switches All Prior to 15.2(4a)EA5 Apply FRN 15.2(4a) EA5 or later
    (Download)
  2. Cisco has offered workarounds for those vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.
    Vulnerability Workaround (if available) Other Notes
    #1: AAA
    Authentication DoS    		 The AAA Failed-Login Banner can be removed via the command no aaa authentication fail-message. AAA Failed-Login Banner needs to be configured and SSH used for a remote connection to the device in order to exploit the vulnerability. To check if AAA is configured, use the show running-config include aaa command to check the AAA configuration and verify that it returns output.
    #2 and #3:
    Multicast Routing DoS    		 There are no workarounds for either vulnerability N/A
    #4: DNS Forwarder
    DoS and Info Corruption    		 There are no workarounds that address this vulnerability. N/A
    #5: Software Smart
    Install Memory Leak    		 There are no workarounds other than disabling the Smart Install feature. This can be done on some versions of firmware with the "no vstack" global configuration command. To determine whether a device is configured with the Smart Install client feature, use the command show vstack config. If the output is Role: Client, then this confirms that the feature is enabled on the device.
  3. Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked.
  4. Use trusted software, software patches, antivirus/anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on Rockwell Automation’s Vulnerability Management process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on the Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory using the Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date

Version

Details

OCT-2016

1.0

Initial release.

28-APR-2017

1.1

Update to include Stratix 8300 and mitigations


KCS Status

Released

Critical
PN967 | PN967 | MicroLogix Controller v21 Security Updates
Published Date:
April 25, 2017
Last Updated:
April 25, 2017
CVE IDs:
CVE-2017-7902, CVE-2017-7901, CVE-2017-7899, CVE-2017-7898, CVE-2017-7903
Products:
MicroLogix Controller
CVSS Scores:
5.4, 8.1, 3.1, 9.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix Controller v21 Security Updates

Description

Version 1.0 - April 25, 2017

Multiple vulnerabilities exist in certain MicroLogix™ 1100 and 1400 controllers that, if successfully exploited, can allow unauthorized access to the web server, tamper with firmware, or cause a Denial of Service. MicroLogix is a family of Programmable Logic Controllers (PLCs) used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers, Series A and B

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA
    Version 16.00 and earlier.

MicroLogix 1100, Series A and B

  • 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD
    Version 16.00 and earlier.

VULNERABILITY DETAILS


Vulnerability #1: Weak Password Resolution

MicroLogix products use a numeric password that has a small number of maximum characters, making it easier for a user to guess the password. There is no penalty for incorrect passwords, so the attack can be repeated until the victim’s password is identified. Once a controller password is identified, the attacker is able to communicate with the controller and make disruptive changes.

A CVSS v3 base score of 9.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-7898 and CVE-2017-7903 have been assigned to this vulnerability.

Vulnerability #2: Firmware Tampering

Series C versions of MicroLogix 1400 firmware (FRN 21.00 and later) are digitally signed, whereas Series A and B are NOT digitally signed. When a new version of firmware is uploaded to the Series C product, the update will only proceed if the firmware’s digital signature is determined to be authentic.

A CVSS v3 base score of 8.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability #3: TCP Sequence Prediction Attack

An unauthorized, remote attacker has the potential to send counterfeit packets to a target host by predicting the TCP initial sequence numbers. The attacker may spoof or disrupt TCP connections that could potentially cause a Denial of Service to the target.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

CVE-2017-7901 has been assigned to this vulnerability.

Vulnerability #4: Improper Nonce Usage

A vulnerability exists in the HTTP Digest Authentication implementation that could allow an unauthorized, remote attacker to observe a valid HTTP request and replay that request back to the server. The attacker needs to observe an actual HTTP request that they wish to replay back to the server. The impact to this attack is limited to the functions that the web server has exposed.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE-2017-7902 has been assigned to this vulnerability.

Vulnerability #5: User Credentials Sent via GET method

Ilya Karpov reported to Rockwell Automation that form values, including user credentials, are sent to the web server via an HTTP GET method, which may also log the credentials in network monitoring tools. An attacker with access to these logs could potentially harvest these passwords, which may further allow the attacker access to the webserver, or other systems that share the same user credentials.

A CVSS v3 base score of 3.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CVE-2017-7899 has been assigned to this vulnerability.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected products are encouraged to update to the latest firmware version that addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Customers who are unable to update their software are directed towards risk mitigation strategies provided in this document below. Where feasible, additional precautions and risk mitigation strategies, like those listed below, are similarly recommended. Employ multiple strategies when possible.

Product Family

Catalog Numbers

Vulnerabilities Remediated

Suggested Actions

MicroLogix 1400, Series C

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

All Vulnerabilities

-If possible, it is recommended to upgrade to Series C, FRN 21 or later which utilizes digitally signed firmware. If unable to upgrade to Series C, it is recommended to combine updating to FRN 21 for Series B along with other risk mitigations described below.

MicroLogix 1400, Series B

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

Series B, FRN 21.00: Vulnerabilities 1, 3, 4, 5

-Apply FRN 21 or later for Series B, and combine with other risk mitigations (Downloads)
-Disable the web server. See Item #1 below for details
-Apply the additional mitigations below

MicroLogix 1400, Series A

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

None

-Disable the web server. See item #1 below for details
-Apply the additional mitigations below

MicroLogix 1100

 1763-L16BWA
1763-L16AWA
1763-L16BBB
1763-L16DWD

None

 -Disable the web server. See item #1 below for details
-Apply the additional mitigations below

  1. Disable the web server on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
  2. Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode. This also protects against unauthorized firmware upgrades.

GENERAL SECURITY GUIDELINES

  1. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  2. Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
  3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date

Version

Details

25-April-2017

1.0

Initial release.

KCS Status

Released

PN965 | PN965 | Stratix 5900 Security Updates
Published Date:
April 04, 2017
Last Updated:
April 04, 2017
CVE IDs:
CVE-2015-1787, CVE-2014-0195, CVE-2014-2109, CVE-2014-3566, CVE-2016-1344, CVE-2015-7702, CVE-2015-7871, CVE-2014-2106, CVE-2015-0207, CVE-2016-6393, CVE-2014-3360, CVE-2014-2112, CVE-2016-6380, CVE-2015-7691, CVE-2015-7692, CVE-2015-7849, CVE-2015-0290, CVE-2014-0224, CVE-2015-7701, CVE-2014-3470, CVE-2014-2113, CVE-2014-2108, CVE-2015-7704, CVE-2016-6415, CVE-2014-2111, CVE-2015-0642, CVE-2015-1798, CVE-2014-0221, CVE-2015-0292, CVE-2015-0293, CVE-2015-7854, CVE-2014-0076, CVE-2015-0646, CVE-2014-3361, CVE-2016-6381, CVE-2016-1409, CVE-2015-7855, CVE-2015-0291, CVE-2015-7850, CVE-2016-6384, CVE-2014-3356, CVE-2014-3354, CVE-2014-3355, CVE-2014-3299, CVE-2015-7848, CVE-2015-0289, CVE-2015-7705, CVE-2015-7703, CVE-2015-7851, CVE-2015-1799, CVE-2016-6382, CVE-2014-3359, CVE-2015-0287, CVE-2010-5298, CVE-2015-7852, CVE-2015-0209, CVE-2015-0288, CVE-2015-0285, CVE-2014-0198, CVE-2015-0643, CVE-2015-7853, CVE-2016-1350
Products:
Stratix 5900 Services Router
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5900 Security Updates

Description

Version 1.0 - April 4, 2017

Cisco Systems, Inc. ("Cisco") has reported that several vulnerabilities exist in versions the Stratix® 5900 Services Router software. The Stratix 5900 Services Router is capable of providing bridging, multi-protocol routing, and remote access services in industrial control systems.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Stratix 5900, All Versions prior to 15.6.3

VULNERABILITY DETAILS
Rockwell Automation evaluated the vulnerabilities using the Common Vulnerability Scoring System ("CVSS") v3.0.

Security Advisories that Affect this Release

CVE ID #

Headline

(linked to Cisco Advisory)

CVSS v3 Score and Vector String**

(**For a better understanding of how this score was generated, please follow the link to first.org)

CVE-2016-6393

Cisco IOS and IOS XE Software AAA Login Denial of Service Vulnerability

8.1/10 - High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

CVE-2016-6380

Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability

8.1/10 - High
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

CVE-2016-6384

Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability

8.6/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2016-6381

Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Fragmentation Denial of Service Vulnerability

6.8/10 - Medium
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2016-6382

Cisco IOS and IOS XE Software Multicast Routing Denial of Service Vulnerabilities

8.6/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2016-6415

IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products

8.6/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVE-2016-1409

Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability

5.8/10 - Medium
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CVE-2016-1350

Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2016-1344

Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability

6.8/10 - Medium

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2015-7691

CVE-2015-7692

CVE-2015-7701

CVE-2015-7702

CVE-2015-7703

CVE-2015-7704

CVE-2015-7705

CVE-2015-7848

CVE-2015-7849

CVE-2015-7850

CVE-2015-7851

CVE-2015-7852

CVE-2015-7853

CVE-2015-7854

CVE-2015-7855

CVE-2015-7871

Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015

7.2/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

CVE-2015-1798

CVE-2015-1799

Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products

5.8/10 - Medium
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE-2015-0642

CVE-2015-0643

Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities

8.6/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2015-0646

Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability

8.6/10 - High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2015-0207

CVE-2015-0209

CVE-2015-0285

CVE-2015-0287

CVE-2015-0288

CVE-2015-0289

CVE-2015-0290

CVE-2015-0291

CVE-2015-0292

CVE-2015-0293

CVE-2015-1787

Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products

4.0 - Medium

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2014-3566

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

4.0 - Medium

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2014-3359

Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-3355

CVE-2014-3356

Cisco IOS Software Metadata Vulnerabilities

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-3361

Cisco IOS Software Network Address Translation Denial of Service Vulnerability

6.8/10 - Medium

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-3354

Cisco IOS Software RSVP Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-3360

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-3299

Cisco IOS Software IPsec Denial of Service Vulnerability

7.7/10 - High

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CVE-2010-5298

CVE-2014-0076

CVE-2014-0195

CVE-2014-0198

CVE-2014-0221

CVE-2014-0224

CVE-2014-3470

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products

10/10 - Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2014-2113

Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-2108

Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-2109

CVE-2014-2111

Cisco IOS Software Network Address Translation Vulnerabilities

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-2106

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2014-2112

Cisco IOS Software SSL VPN Denial of Service Vulnerability

8.6/10 - High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation has provided firmware version v15.6.3 as remediation for these vulnerabilities.

Product Name

Catalog Number

Suggested Actions

Stratix 5900 Services Router

1783-SRKIT

Update to v15.6.3 (Download)

Customers using affected products are encouraged to update to this latest version, which addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks.

Customers who are unable to update their software are directed toward risk mitigation strategies provided below.

Where feasible, it is recommended to use the additional precautions and risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously. Please click "Subscribe for Updates" in the upper right corner if you would like an email notification when this advisory is updated.

GENERAL SECURITY GUIDELINES

1. Help minimize any unnecessary network exposure by assessing all control system devices and/or systems, and confirm that firmware is kept up to date
2. Use proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance offers an Intrusion Prevention System and an Intrusion Detection (IDS/IPS) System, and Deep Packet Inspection (DPI) technology of the Common Industrial Protocol (CIP). With the introduction of this new product, Rockwell Automation can offer customers an intrusion detection system to provide real-time visibility in the event that a vulnerability is being exploited. The Stratix 5950 Security Appliance uses Cisco FirePOWER™ technology, which allows created rules to be processed by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged using IDS or blocked using IPS. For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document.

For additional information on deploying the Stratix 5950, please see our Deploying Industrial Firewalls within a CPwE Architecture Guide.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

Security Advisory Index, Knowledgebase article KB:54102

Industrial Firewalls within a CPwE Architecture

Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

·

KCS Status

Released

Medium
PN966 | PN966 | ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service
Published Date:
April 04, 2017
Last Updated:
April 04, 2017
CVE IDs:
CVE-2017-6024
Products:
ControlLogix 5580 and Compact Logix 5380 Progammable Automation Controller
CVSS Scores:
6.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service

Description

Version 1.0 - April 4, 2017

A vulnerability exists in certain ControlLogix® 5580 and CompactLogix™ 5380 Programmable Automation Controllers that, if successfully exploited, can cause a Denial of Service ("DoS") condition due to memory and/or resource exhaustion. These Programmable Automation Controllers are used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Note: Firmware versions (for all products) prior to FRN 28.011 are not affected by this vulnerability.

ControlLogix 5580 controllers V28.011, V28.012, and V28.013.
ControlLogix 5580 controllers V29.011.
CompactLogix 5380 controllers V28.011.
CompactLogix 5380 controllers V29.011.

VULNERABILITY DETAILS
This vulnerability may allow an attacker to intentionally send a series of specific CIP-based commands to the controller and cause either:

1. A Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service condition.
2. An inability to establish new communication connections, while the attack takes place, resulting in a temporary Denial of Service condition.
This vulnerability is remotely exploitable through CIP-based networks, including EtherNet/IP. At this- time, there is no publicly known code to exploit this vulnerability. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system, and other controls a user may have in place.

CVE-2017-6024 has been assigned to this vulnerability. A CVSS v3 base score of 6.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk.

Type of Controller

Product Family

Catalog Numbers

Suggested Actions

Standard Controller

ControlLogix 5580

All Catalog Numbers in the ControlLogix 5580 Family

Update to FRN 30.011 or later (Download)

Small Controller

CompactLogix 5380

All Catalog Numbers in the CompactLogix 5380 Family

Update to FRN 30.011 or later (Download)


GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

· 54102 - Industrial Security Advisory Index

· Industrial Firewalls within a CPwE Architecture

· Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide



KCS Status

Released

High
PN959 | PN959 | Connected Components Workbench™ Software Dynamic Link Library (DLL) Hijack
Published Date:
February 16, 2017
Last Updated:
February 16, 2017
Products:
Connected Components Workbench
CVSS Scores:
7.0
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 - February 16, 2017.  Initial Release.
Revision History
Revision Number
2.0
Revision History
Version 2.0 - April 09.2020.  Corrected mitigation versions from v9.01 to V12.

Introduction

Connected Components Workbench™ Software Dynamic Link Library ("DLL") Hijack

Executive Summary

Rockwell Automation received a report from independent researcher Ivan Javier Sanchez about a vulnerability in the Connected Components Workbench™ ("CCW") software. CCW is a design and configuration software that helps simplify standalone machine development by offering a single environment for controller programming, device configuration and visualization. DLL hijacking is a known and documented vulnerability that affects software running on Microsoft® Windows operating systems. The effects of this attack can range from a denial-of-service ("DoS"), to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.

As of this announcement, there is no known publicly available exploit code relating to this vulnerability.

Version 2.0 Update:
Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, reporting that additional versions of CCW continued to be affected by this vulnerability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

  • Connected Components Workbench - Developer Edition, v11.00.00 and earlier
  • Connected Components Workbench - Free Standard Edition, v11.00.00 and earlier

Vulnerability Details

Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim’s affected personal computer (PC). Such access rights can be at the same, or potentially higher, level of privileges as the compromised user account, including and up to computer administrative privileges.

DLL hijacking requires user interaction and thus cannot be exploited remotely. The exploits are triggered only when a local user runs the vulnerable application, which then loads the untrusted DLL file in place of the real DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run at an application with the untrusted file, or to access a malicious webpage that is susceptible to browser redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer in place of the intended DLL.

The impacts of a successful DLL hijacking attack can range from a software crash (i.e. Denial-of-Service), which would require a restart, to the injection of malicious code into trusted processes. The impact of an attack that injects malicious code is highly dependent on both the type of code included in the attack, as well as any mitigations than the user may already employ. If the software is running as a high-privileged user, any injected code will also execute with those high privileges. The malicious code can also access process memory space that stores sensitive information or additional services that may be manipulated by the modified DLL.

A CVSS v3 base score of 7.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using versions of affected software are encouraged to take the following actions:

  1. Apply Connected Components Workbench – Developer Edition v12.00.00 (Download) or Connected Components Workbench – Free Standard Edition v12.00.00 (Download).
  2. Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1498 / Article ID 1125780.
  3. Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1499 / Article ID 1125782.

General Security Guidelines

  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use of Microsoft AppLocker or another whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID 546989.
  • Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High
PN938 | PN938 | RSLogix 500® and RSLogix™ Micro File Parser Buffer Overflow
Published Date:
February 14, 2017
Last Updated:
February 14, 2017
CVE IDs:
CVE-2016-5814
Products:
RSLogix 500
CVSS Scores:
8.6
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLogix 500® and RSLogix™ Micro File Parser Buffer Overflow

Description

Version 1.1 - FEBRUARY 14 - 2017

UPDATE: Feb 14, 2017 Rockwell Automation has released a new version of software, v11.00.00, which contains the remediation for this vulnerability. Affected customers are encouraged to update to the most recent release to take advantage of the latest security patches.

In June 2016, Rockwell Automation was notified by ICS-CERT of a buffer overflow vulnerability that exists in its RSLogix™ Micro Starter Lite product, a free starter programming software used to program logic for the Allen-Bradley MicroLogix™ product family.

This vulnerability is not remotely executable, and successful social engineering is required to convince a victim of using the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. Currently, there is no publicly available exploit code relating to this vulnerability.

Rockwell Automation has evaluated the report and confirmed the existence of this vulnerability in RSLogix™ Micro Starter Lite. We further investigated and confirmed this vulnerability in the additional versions of RSLogix 500® and RSLogix™ Micro. We have released updated software to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

  • RSLogix™ Micro Starter Lite, Versions 10.00.00 and earlier
  • RSLogix™ Micro Developer, Versions 10.00.00 and earlier
  • RSLogix 500® Starter Edition, Versions 10.00.00 and earlier
  • RSLogix 500® Standard Edition, Versions 10.00.00 and earlier
  • RSLogix 500® Professional Edition, Versions 10.00.00 and earlier

A patch for v8.40.00 is available now and is only for v8.40.00, links are provided below. The remediation will also be available in the next major revision of the software. This advisory will be updated when additional versions are available.

VULNERABILITY DETAILS

The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files, identified by the RSS extension. In order for this vulnerability to be exploited in RSLogix 500 and RSLogix Micro, an attacker must create a malicious RSS file, which is the native file format for this software package. If the malicious project file is opened by an affected version of the product, the buffer overflow condition is exploited. Likewise, if the attack is successful, the unknown code will run at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires the attacker to successfully convince a user to open a modified project file on their machine.

Potential impacts from a successful attack could include a software crash (for example, Denial of Service) which then requires a software restart. However, in more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CVE-2016-5814 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS v3 vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

The following precautionary measures are recommended as additional risk mitigation strategies for this type of attack. If possible, multiple strategies should be employed simultaneously.

  • Do not open untrusted .RSS files with RSLogix 500 and RSLogix Micro.
  • Customers using affected versions of RSLogix 500 and RSLogix Micro are encouraged to apply the patch that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. (Note: Patch is for v8.40.00 ONLY! Do NOT apply to other versions!)
    Product Family Catalog Numbers Software Versions Suggested Actions
    RSLogix Micro 9324-RLMx

    8.40.00

    878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
    RSLogix Micro 9324-RLMx Versions 10.00.00 and earlier Update to V11.00 or later (Download)
    RSLogix 500 9324-RL0x

    8.40.00

    878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
    RSLogix 500 9324-RL0x Versions 10.00.00 and earlier Update to V11.00 or later (Download)
  • Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  • Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at 546989 - Using Rockwell Automation Software Products with AppLocker .
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index
878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
ICS-CERT Advisory ICSA-16-224-02

·

Revision History:
14-FEB-2017 Version 1.1 Added details for V11.00.00.

KCS Status

Released

Medium
PN949 | PN949 | MicroLogix Controller Vulnerabilities
Published Date:
December 01, 2016
Last Updated:
December 01, 2016
CVE IDs:
CVE-2016-9338, CVE-2016-9334
Products:
MicroLogix Controller
CVSS Scores:
6.5, 2.7
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix Controller Vulnerabilities

Description

Version 1.0 - December 1, 2016

Rockwell Automation® was notified of several vulnerabilities discovered in the MicroLogix™ 1100 and MicroLogix 1400 versions of the product family. MicroLogix is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector had the potential to affect other Rockwell Automation product platforms.

Details relating to these vulnerabilities, the known affected platforms, and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.004 and earlier.
  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Hardcoded Usernames

Hardcoded username credentials on the MicroLogix 1100 and MicroLogix 1400 PLCs can reduce the effort required to obtain the full set of user credentials, which could allow unauthorized administrative access to device configuration options available through the web interface.

A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #2: Information Disclosure

Ilya Karpov reported to Rockwell Automation that user credentials, along with other information exchanged between browser and webserver are sent in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.

CVE-2016-9334 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #3: Incorrect Permission Assignment for Critical Resource

Ilya Karpov reported to Rockwell Automation that a vulnerability exists in those instances where a user with administrator privileges goes to a specific link and remove all administrative users from the functional web service. A factory reset is required to remove the improper changes and restore the web service to this product.

CVE-2016-9338 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

RISK MITIGATIONS

Customers using affected versions of the MicroLogix 1400 and MicroLogix 1100 PLCs are encouraged to update to the newest available software versions that address associated risks and include added improvements to further help harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. Employ multiple strategies when possible.

  1. Update supported products based on this table:
    Product
    Family
    		 Catalog
    Numbers

    Hardware Series

    		 Vulnerabilities Remediated Suggested Actions
    MicroLogix 1100 1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series B Vulnerability #3:
    Permanent DoS     		- Apply FRN 15.000 or higher (Downloads)
    - Disable the web server. See Item #2 below for details.
    - Apply the additional mitigations described below.
    1763-L16AWA
    1763-L16BBB
    1763-L16BWA
    1763-L16DWD    		 Series A None - Disable the web server. See Item #2 below for details.
    - Apply the additional mitigations described below.
    MicroLogix 1400 1766-L32AWA
    1766-L32AWAA
    1766-L32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA    		 Series B All Vulnerabilities - Apply FRN 16.000 (Downloads)
    - Disable the web server. See Item #2 below for details.
    - Apply the additional mitigations below.
    1766-L32AWA
    1766-L32AWAA
    1766-LK32BWA
    1766-L32BWAA
    1766-L32BXB
    1766-L32BXBA    		 Series A None - Disable the web server. See Item #2 below for details.
    - Apply the additional mitigations belowmitigations below.
  2. Disable the webserver on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
  3. Set the keyswitch to RUN to prohibit any re-enabling of the web server while the keyswitch is in this mode.
  4. Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
  9. We also recommend concerned customers continue to monitor this advisory, 54102 - Industrial Security Advisory Index and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation’s network and security services to enable assessment, design, implementation and management of validated, secure network architectures. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

Medium
PN929 | PN929 | Stratix® 5400 and Stratix 5410 ICMP IPv4 Packet Corruption Vulnerability
Published Date:
June 23, 2016
Last Updated:
June 23, 2016
Products:
Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch
CVSS Scores:
5.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

Version 1.0 - June 23, 2016

On May 13, 2016, Cisco disclosed a vulnerability in their Industrial Ethernet 4000 and 5000 Series switches. This vulnerability also impacts the Allen-Bradley Stratix® 5400 Industrial Ethernet Switches and the Allen-Bradley Stratix® 5410 Industrial Distribution Switches containing particular versions of IOS firmware. The discovered vulnerability is remotely exploitable and may allow an attacker to corrupt a subsequent packet traversing the device. At this time, both Rockwell Automation and Cisco are unaware of any publicly available exploit code.

Customers using affected versions of this software are encouraged to upgrade to the newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

  • Stratix 5400, Versions 15.2(2)EA1, 15.2(2)EA2
  • Stratix 5410, Versions 15.2(2)EB

No other Rockwell Automation Stratix products are currently known to be affected by this vulnerability. Stratix 5400 and Stratix 5410 Switches running any versions other than those listed above are not affected by this vulnerability.

To determine if your Stratix 5400 switch or Stratix 5410 switch is using the above firmware, please refer to KB55484: Upgrading or verifying Stratix Firmware.

VULNERABILITY DETAILS

A vulnerability in the packet processing microcode of Stratix 5400 and Stratix 5410 switches could allow an unauthenticated, remote attacker to corrupt packets enqueued on the device for further processing.

The vulnerability is due to improper processing of some Internet Control Message Protocol ("ICMP") IPv4 packets. An attacker could exploit this vulnerability by sending ICMP IPv4 packets to an affected device. A successful exploit could allow an attacker to corrupt the packet enqueued for transmission immediately after the anomalous packet. This may impact control traffic to the device itself (Address Resolution Protocol (ARP) traffic) or traffic transiting the device.

Cisco’s product security disclosure for their Industrial Ethernet 4000 and 5000 Series switches is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160513-ies

A CVSS v3 base score of 5.8 has been assigned to this vulnerability by Rockwell Automation. The CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the Stratix 5400 and Stratix 5410 software are encouraged to upgrade to the newest available versions that address associated risk with this vulnerability. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  • Upgrade affected products per the table below:
Product Hardware Series Mitigations
Stratix 5400 Industrial Ethernet Switches Series A Apply version 15.2(4)EA3 or newer (Download)
Stratix 5410 Industrial Distribution Switches Series A Apply version 15.2(4)EA3 or newer (Download)
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

High
PN930 | PN930 | FactoryTalk® EnergyMetrix™ Authentication Vulnerabilities
Published Date:
June 21, 2016
Last Updated:
June 21, 2016
CVE IDs:
CVE-2016-4522, CVE-2016-4531
Products:
FactoryTalk EnergyMetrix
CVSS Scores:
7.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

Version 1.0 - June 21, 2016

Rockwell Automation has internally discovered and remediated two authentication-based vulnerabilities in the Rockwell Software FactoryTalk® EnergyMetrix™ product. FactoryTalk EnergyMetrix is a web-enabled management software package that gives you access to critical energy information, and allows you to capture, analyze, store, and share energy data with key stakeholders using a standard web browser.

The first vulnerability concerns user credentials that are not immediately invalidated after an explicit logout action is performed by the user, which may allow an attacker to use these credentials in perpetuity. The second vulnerability is an SQL Injection vulnerability which may allow an attacker to access the FactoryTalk EnergyMetrix system without valid user credentials. Both vulnerabilities are exploitable remotely. At this time, there is no known publicly available exploit code relating to the vulnerabilities.

Rockwell Automation has examined associated vectors and revised product software has been released to address risks. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

  • FactoryTalk EnergyMetrix v2.10.00 and earlier

VULNERABILITY DETAILS

Authenticated User Token Remains Valid after Logout

When a user explicitly logs out of their FactoryTalk EnergyMetrix account, their authentication token is not immediately invalidated by the system. An attacker who obtained this token would be able to access the FactoryTalk EnergyMetrix system at the same privilege level as the user, by resending the captured token with their request.

CVE-2016-4531 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

SQL Injection

A SQL injection vulnerability allows privilege escalation by an anonymous user, which can result in access to administrative functions of the FactoryTalk EnergyMetrix system. A successful attack results in privileged access to the application and its data files but not to the underlying computer system. The impact of this vulnerability is highly dependent on the user’s environment and the level of privilege the web server service account has with its associated database.

CVE-2016-4522 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable. When possible, multiple strategies should be employed simultaneously.

  1. Customers using affected versions of FactoryTalk EnergyMetrix software are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks.
    Product Family Catalog Numbers Software Versions Suggested Actions
    FactoryTalk EnergyMetrix 9307-FTEM* V2.10.00 and earlier Apply version 2.20.00 or later; Version 2.30 or later is recommended. (Downloads)
  2. Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
  3. Configure and enable HTTPS on your EnergyMetrix server, which protects the confidentiality and integrity of information exchanged between the web browser and server.
  4. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  7. Locate control system networks and devices behind firewalls, and isolate them from the business network.
  8. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

LINKS

KCS Status

Released

PN886 | PN886 | MicroLogix Web Redirect Vulnerability
Published Date:
September 17, 2015
Last Updated:
September 17, 2015
Products:
MicroLogix Web Redirect
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix Web Redirect Vulnerability

Description

September 17, 2015 - Version 1.0

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 product family. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public. ICS-CERT published an alert (ICS-ALERT-15-225-02A) to cover this vulnerability.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability in the MicroLogix 1400, and further discovered and reproduced the vulnerability in the MicroLogix 1100 product family. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

  • 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.002 and earlier.
  • 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

Rockwell Automation will resolve this vulnerability in the next minor revision of product firmware, currently expected to be available in the October 2015 timeframe. This advisory will be updated to provide upgrade information when it is available.

VULNERABILITY DETAILS

The vulnerability in the MicroLogix’s webserver allows an attacker to inject arbitrary web content into an unsuspecting user’s web browser by using a built-in feature to "redirect" outside web content into the product’s web pages. This outside web content could contain malicious content that would target the web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the MicroLogix itself. Instead, the MicroLogix is used as a vehicle to deliver an attack to a device running a web browser.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

RISK MITIGATIONS

  • Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
  • Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

KCS Status

Released

Medium
PN869 | PN869 | RSView32 Weak Encryption Algorithm on Passwords
Published Date:
April 30, 2015
Last Updated:
April 30, 2015
Products:
RSView32
CVSS Scores:
4.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSView32 Weak Encryption Algorithm on Passwords

Description

April 30, 2015 - Version 1.0

A vulnerability has been discovered by Vladimir Dashchenko and Dmitry Dementjev, Information Security Analysts at Ural Security System Center (USSC), in the encryption approach used by specific versions of RSView32 software to protect the contents of a file containing user-defined passwords. The passwords stored within the file are used to authenticate users in order to grant access to the software and user-created content.

Rockwell Automation has verified the validity of Mr. Dashchenko and Dementjev’s discovery and a software patch has been release for RSView32 that enhances the security of the mechanism used to create, manage and make-use of user-defined passwords by the software. Customers who continue to use affected versions of the software are encouraged at a minimum to apply this patch, or migrate to more contemporary Rockwell Automation solutions. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name Version
RSView32 All software versions up to and including
RSView32 - 7.60.00 (CPR9 SR4)


VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.

User-defined usernames and passwords for RSView32 are stored within the users.act file. The associated weakness in the file is a result of the software using a weak and outdated encryption algorithm. The technology weakened password complexity prior to encrypting the password. In addition, the algorithm’s strength has decreased over time as compared to more contemporary encryption technologies. Content encrypted with this older algorithm, such as the users.act file, may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be learned.

For such exposure, an attacker must first gain access to the specific password storage file, or to a copy of the file that is stored local to the RSView32 product. In order to gain such access, the security of the local machine would need to be compromised in some way to allow local or remote access, or some form of successful social-engineering would be needed to convince a victim to grant access to, or supply the particular file to a malicious third party. To make use of the passwords to access user-defined RSView32 protected content, an attacker would similarly need to reverse-engineer the decryption algorithm to learn the plain text, before being able to authenticate and gain access to that protected content.

At this time there is no known publicly available exploit code.

CUSTOMER RISK MITIGATION AND REMEDIATION

A software patch has been released for RSView32 to mitigate risk associated with the discovered vulnerability. Customers using affected versions of the RSView32 are encouraged to apply this patch and take added precautions as outlined herein.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  1. Apply the following patch if using an affected software version:

    Software

    Catalog Number

    Affected Software

    Recommendation

    RSView32

    9301-2SEx

    All software versions
    prior to, not including
    RSView32 - 7.60.00 (CPR9 SR4)

    		 >>>

    Apply reference software patch:


    RSView32 - 7.60.6.11

    https://rockwellautomation.custhelp.com
    /app/answers/detail/a_id/635640
  2. Limit access to assets with RSView32 and other software only to authorized personnel.
  3. Restrict network access to assets with RSView32 and other software as appropriate.
  4. Use trusted software and software patches that are obtained only from highly reputable sources.
  5. Interact with, and only obtain software and software patches from trustworthy websites.
  6. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
  7. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
  8. Maintain layered physical and logical security, defense in depth design practices for the ICS.
  9. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
  10. Upgrade the affected product to a more contemporary, in-support product and compatible operating system; Establish a patch management and product upgrade strategy too*

*ONGOING RISKS AND PRODUCT MIGRATION
The RSView32 product has inherent technical limitations that are likely to make subsequent security patches more difficult, if not altogether infeasible in the future. Furthermore, RSView32 is not compatible with certain contemporary versions of the Microsoft Windows® operating system. While this particular product patch helps to mitigate a very specific security risk, it has no positive effect on other known and unknown vulnerabilities in the Windows OS on which the product is installed and operates. In addition, some Windows versions (with which the product still operates) are no longer in support by the manufacturer, yet they are known to be highly susceptible to a variety of significant, unpatchable security risks.

We recommend customers consider upgrading their software and compatible operating systems to more contemporary versions everywhere possible. In parallel, customers should adopt measures to keep products current and patched.

For those customers who choose to continue using RSView32, we strongly recommend they upgrade the operating system on which the product runs to a compatible version that is as current as possible and is still in support by the manufacturer. When this compatibility can no longer be assured, or the operating system support expires, Rockwell Automation stands ready to help our customers migrate to contemporary solutions as we also help protect and leverage their previous investments.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Medium
PN852 | PN852 | RSLinx Classic File Input Buffer Overflow in OpcTest.exe
Published Date:
April 20, 2015
Last Updated:
April 20, 2015
Products:
RSLinx Classic (Single Node
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Description

April 20, 2015 - version 1.0

A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in a non-critical software component distributed with certain versions of the RSLinx Classic product. The included executable, OpcTest.exe, is a test client for RSLinx’s support of the OPC-DA protocol. The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the test client to open an untrusted, specifically modified CSV file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as OpcTest.exe. At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and a new software release has been issued for RSLinx Classic that includes a new version of OPCTest.exe to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name Version
RSLinx Classic All versions prior to, not including 3.73.00

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

OpcTest.exe has a capability to import a comma-separated values (CSV) file, containing lists of tags and groups, so that the software user can easily subscribe to these items from the RSLinx Classic software. The discovered vulnerability is within the OpcTest.exe code that parses this CSV content. In certain cases where a uniquely crafted or altered file is used, the OpcTest.exe parser code execution can encounter a buffer overflow, which has potential to modify the stack and allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace CSV files with specifically created or modified CSV files that have been constructed to use this buffer overflow condition to successfully execute malicious code.

Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CUSTOMER RISK MITIGATION AND REMEDIATION

Customers using affected versions of the RSLinx Classic are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  1. Do not open untrusted CSV files with OPCtest.exe
  2. Upgrade affected products as follows:

    Software Catalog Number Affected Software Recommendation
    RSLinx Classic 9355-WABSNENE; 9355-WABOEMENE; 9355-WABGWENE All software versions prior to 3.72.00.01 >>>

    Upgrade to 3.73.00 or higher (available now)

    Choose "RSLinx Classic (9355-WABx)" -- http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?keyword=9355-WAB
  3. Limit access to those assets with RSLinx Classic and other software to authorized personnel.
  4. Run all software as User, not as an Administrator.
  5. Restrict network access to assets with RSLinx Classic and other software as appropriate.
  6. Use trusted software and software patches that are obtained only from highly reputable sources.
  7. Interact with, and only obtain software and software patches from trustworthy websites.
  8. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
  9. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
  10. Maintain layered physical and logical security, defense in depth design practices for the ICS.
  11. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Medium
PN851 | PN851 | FactoryTalk Services Platform and FactoryTalk View Studio DLL Hijacking Vulnerability
Published Date:
February 12, 2015
Last Updated:
February 12, 2015
Products:
FactoryTalk View SE, FactoryTalk View ME
CVSS Scores:
6.9
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Services Platform and FactoryTalk View Studio DLL Hijacking Vulnerability

Description

February 12, 2015 - version 1.0

A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in software components that comprise and are shared by the FactoryTalk Services Platform used in FactoryTalk-branded product and FactoryTalk View Studio.

These vulnerabilities are not exploitable remotely without user interaction. The exploits are only triggered when a local user runs the vulnerable application, and it loads the malformed DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run an untrusted file or to access a malicious webpage using a browser susceptible to redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer.

At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and released new FactoryTalk Services Platform and FactoryTalk View Studio software to address associated risk. Customers using affected versions of this software are encouraged to upgrade to the newest available software versions or apply appropriate patches as indicated below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name Version Verify Software Version Method
FactoryTalk Services Platform (FTSP) All versions prior to and not including 2.71
 Software version can be verified using Windows Add/Remove programs utility
FactoryTalk View Studio Version 8.00.00 and all prior versions Software HelpAbout

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

It was discovered that certain DLLs (Dynamic Link Library) that are included with older versions of FactoryTalk Services Platform and View Studio software can be potentially hijacked to allow an attacker to gain access rights to a victim’s affected PC. Such access rights can be at the same, or potentially higher level of privileges as the compromised user account, including up to computer administrative privileges.

DLL hijacking is a known and documented vulnerability affecting Microsoft Windows operating systems. Exploitation of this vulnerability typically requires social engineering to successfully introduce a malicious DLL onto a target computer and within a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.

To exploit this vulnerability, an attacker would either have to breach account access or get someone to install software or a specific DLL that was not approved. The malicious DLL would need to be installed onto the target computer in a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.

When a DLL vulnerability is exploited, trusted software can unknowingly load an untrusted DLL in place of the intended DLL. Its effects can range from a software crash (i.e. Denial of Service) requiring software restart, to more significant events such as the injection of malicious code into trusted processes. The malicious code can also access process memory space that may store sensitive information or additional services that may be manipulated by the modified DLL.

CUSTOMER RISK MITIGATION AND REMEDIATION

Although there are no known exploits at this time, customers using affected versions of the FactoryTalk Services Platform and View Studio are encouraged to upgrade to the newest available software versions where possible, or to apply appropriate patches.

Upgrade affected products as follows:

Software Catalog Number Affected Firmware Recommendation
FactoryTalk Services Platform (FTSP) N/A All software versions prior to and not including 2.71.00 >>>

Upgrade to V2.71.00 or higher (available now)

If an upgrade is not currently possible, apply Patch V2.70.00: KB#631115

Note: This software is included with Studio 5000™ software Version 24 and higher.
FactoryTalk View Studio 9701-VWSS000LENE Version 8.00.00 and all prior versions >>>

Apply software patch for V8.00.00 or higher: KB#631115

Note: When available, FactoryTalk View Studio V8.10.00 will include this standalone software patch.


If a patch is not available for your system, customers are still advised to maintain good practices to not allow unauthorized access/software in their production systems.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

  1. Limit access to those assets with FactoryTalk branded software, including View Studio and other software to authorized personnel
  2. Run all software as User, not as an Administrator
  3. Restrict network access to assets with FactoryTalk branded software, including View studio and other software as appropriate
  4. Use trusted software and software patches that are obtained only from highly reputable sources.
  5. Interact with, and only obtain software and software patches from trustworthy websites.
  6. Where possible, run only the newest versions of reputable web browsers that include enhanced protections against browser redirection.
  7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
  8. Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
  9. Maintain layered physical and logical security, defense in depth design practices for the ICS
  10. Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN841 | PN841 | Connected Components Workbench (CCW) ActiveX Component Vulnerability
Published Date:
November 03, 2014
Last Updated:
November 03, 2014
Products:
Connected Components Workbench
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Connected Components Workbench (CCW) ActiveX Component Vulnerability

Description

Original Release: October 14, 2014 - Version 1.0

November 3, 2014 - Version 1.1 (UPDATE-A)

<<< START UPDATE-A >>>

A vulnerability has been reported affecting two custom ActiveX components provided with the Connected Components Workbench (CCW) software. If exploited, it will crash a targeted component and it can potentially allow for arbitrary code injection on the computer hosting the component. The vulnerability is both locally and remotely exploitable via a successful social engineering attack, such as an attack that targets a victim or victims via a phishing campaign. At this time there is no known publicly available exploit code.

<<< END UPDATE-A >>>

Rockwell Automation has verified the validity of the vulnerability claim and released a new software build, Version 7.00.00 to address associated risk. In parallel, other CCW software components in this new build have been bolstered as a result of the company’s focus on security-quality and continuous improvement. All customers using CCW software prior to Version 7.00.00 are strongly encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

  • All software versions prior to and including Version 6.01.00 of Connected Component Workbench (CCW) Software

    Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

EXPOSURE

  • All computers with Connected Component Workbench (CCW) Software Version 6.01.00 and earlier.

    Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

<<< START UPDATE-A >>>

VULNERABILITY DETAILS

The reported CCW ActiveX vulnerability is the result of a software coding error that was further compounded by the use of an older version of a compiler used to create the custom ActiveX components. The vulnerability allows an attacker to send an arbitrary, out of range value to a particular property of an affected ActiveX component to crash its operation and then potentially allow for an execution of unauthorized code on the computer hosting the software.

Neither the CCW software, nor the vulnerable ActiveX components necessarily need to be running for an attack to be successful.

The attack vector to exploit this vulnerability first requires a user with local access to the computer containing both a susceptible ActiveX component and a container to either knowingly or unknowingly execute some form of malicious code. Such code could likely be delivered via the loading of an infected webpage or some document opened in a web browser or other container capable of running ActiveX controls. A plausible attack scenario could begin with a phishing attack, whereby a victim is convinced to open and run a malicious HTML file or other such infected file, or to visit a maliciously-altered webpage that has been tailored to specifically exploit this vulnerability in an affected ActiveX component.

<<< END UPDATE-A >>>

Potential impacts from a successful attack could include a simple crash of CCW software (e.g. Denial of Service), thereby requiring a software restart to recover from the crash. In more extreme cases, the victim may not even be aware of vulnerability exploitation since neither CCW nor an affected ActiveX component needs to be running for an attacker to inject malicious code to the susceptible software component. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

RISK MITIGATION AND REMEDIATION

A new version of CCW software, Version 7.00.00 has been released to address associated risk with the vulnerability in the affected ActiveX components. This same software release also includes added software improvements to enhance product security and resilience against similar malicious attacks. All customers using CCW software are encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience.

The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.

  1. Upgrade Connected Component Workbench (CCW) software as follows:

    Software

    Catalog Number

    Affected Firmware

    Recommendation

    Connected Component Workbench (CCW) Software

    CCW - Free and Developer Edition (Dev Ed)

    All CCW software versions prior to, and including Version 6.01.00

    Upgrade to CCW Version 7.00.00 or higher

    (available now).

    Refer to additional recommended risk mitigations as provided herein.

    Current CCW software can be obtained here:

    http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112

    Product Search: CCW Version: 7.00.00 (or higher)
  2. Limit access to computers with Connected Components Workbench (CCW) to only authorized personnel.
  3. Run Connected Components Workbench (CCW) software as User, not as an Administrator
  4. Use only trusted software and software patches, and download and interact only with trusted files and webpages.
  5. Restrict network access for computers that include Connected Components Workbench software.
  6. Where possible, run newest version of Internet Explorer web browser and other ActiveX containers.
  7. Where possible, disable ActiveX capabilities in web browsers or consider using browsers without ActiveX support.
  8. Closely scrutinize any user-prompts received from web browsers or other ActiveX containers.
  9. Employ layered security, defense-in-depth methods, including administrative controls such as emloyee training and awareness, and technical controls such as network segregation and segmentation practices in the system design to restrict and control access to individual products and control networks.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN836 | PN836 | MicroLogix 1400 DNP3 Denial of Service Vulnerability
Published Date:
September 09, 2014
Last Updated:
September 09, 2014
Products:
MicroLogix 1400 DNP3
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix 1400 DNP3 Denial of Service Vulnerability

Description

September 9, 2014 - Version 1.0

Rockwell Automation was notified by independent researcher Matthew Luallen of CYBATI (https://cybati.org/) and ICS-CERT of a Denial of Service (DoS) vulnerability to the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified Mr. Luallen’s discovery and released revised product firmware to address associated risk. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS
In collaboration with Mr. Luallen, Rockwell Automation has determined certain Allen-Bradley MicroLogix 1400 controller platforms are affected by this vulnerability:

  • 1766-Lxxxxx Series A FRN 7 or earlier;
  • 1766-Lxxxxx Series B FRN 15.000 or earlier

    Note: DNP3 communication is disabled by default in the product.

VULNERABILITY DETAILS
DNP3 communication is disabled by default in the MicroLogix 1400 product. If the DNP3 capability is enabled, specific versions of the product become susceptible to a Denial of Service (DoS) attack that can be triggered when the product receives a particular series of malformed packets over its Ethernet or local serial ports that are directed at the link layer DNP3 header.

Successful exploitation of this vulnerability results in a disruption of the DNP3 application layer process and a loss of product communication and availability on the network, thereby resulting in a denial of service condition. Exploitation of the vulnerability can be triggered remotely and the attack is repeatable. Furthermore, the DoS results will be successful regardless of controller’s mode switch setting.

Product recovery from the denial of service condition requires a power cycle, yet the product will remain susceptible to subsequent attacks until the vulnerability is addressed or the threat is adequately mitigated or removed.

RISK MITIGATIONS
A new version of MicroLogix 1400 Series B firmware has been released to address the vulnerability and reduce associated risk to successful exploitation. Subsequent versions of MicroLogix 1400 Series B firmware and newer will incorporate these same enhancements.

The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.

1. Upgrade all MicroLogix 1400 controllers per the following table:

Controller Platform

Catalog Number

Affected Firmware

Recommendation

MicroLogix 1400

1766-L32xxxx

Series B FRN 15.000 and earlier.

Series A

à

à

Upgrade to Series B FRN 15.001 or higher (available now).

Refer to additional recommended risk mitigations as provided herein.

Current firmware for the MicroLogix 1400 Series B platform can be obtained here:

http://www.rockwellautomation.com/rockwellautomation/support/pcdc.page

2. Do not enable DNP3 communication in the product unless required.

3. Where appropriate, prohibit DNP3 communication that originates outside the perimeter of the Manufacturing Zone from entry into the Zone by blocking communication directed at Ethernet communication port 20000/TCP* and 20000/UDP* using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

*Note: Ports 20000/TCP and 20000/UDP are factory defaults as per the DNP3 specification, but can be reconfigured by the product owner.

4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

5. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

6. Employ layered security, defense-in-depth methods and network segregation and segmentation practices in system design to restrict and control access to individual products and control networks. Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Flagged - Formatting

Medium
PN792 | PN792 | FactoryTalk Activation Manager Unnecessary Third-party Service
Published Date:
November 08, 2013
Last Updated:
November 08, 2013
Products:
Third Party, FactoryTalk Services Platform
CVSS Scores:
5.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Activation Manager Unnecessary Third-party Service

Description

November 8, 2013 - version 1.0

During the installation of FactoryTalk Activation Manager, a software service from SafeNet Technologies called the Sentinel Local License Manager is automatically installed along with drivers for the USB activation dongles sometimes used with FactoryTalk Activation. These USB dongles are manufactured by SafeNet Technologies.

The Sentinel Local License Manager service is configured to start automatically on the Windows host. Furthermore, the service listens on three (3) communication ports: 1947/TCP, 1947/UDP, and an additional variable UDP port.

Recent evaluation of FactoryTalk Activation manager has determined the Sentinel Local License Manager service is unnecessary when SafeNet USB activation dongles are used with FactoryTalk Activation. The service is also unnecessary or for the operation of any Rockwell Automation products.

Additionally, security testing has identified the Sentinel Local License Manager service may fail when the specific communication ports it listens on become overwhelmed, or when specifically crafted traffic is directed at these ports and the accompanying service. The failure of the Sentinel service is trapped in software. No indications have been observed for potential code injection or successful escalation of privilege on the host.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in FactoryTalk Activation Manager. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS

FactoryTalk Activation Manager v3.30 and greater on all Microsoft Windows operating systems is affected.

RISK MITIGATION

Rockwell Automation recommends disabling the SafeNet Sentinel Local License Manager service (hasplms.exe) unless specifically required by a non-Rockwell Automation application. Instructions for performing this operation are found in Knowledge Base (AID:570831). In addition, when a host-based firewall is available, we recommend blocking communication ports 1947/TCP and 1947/UDP on the host computer.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

PN744 | PN744 | MicroLogix, SLC 500 and PLC5 Controller Vulnerability
Published Date:
August 02, 2013
Last Updated:
August 02, 2013
Products:
MicroLogix, SLC 500 and PLC5 Controller Vulnerability
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

MicroLogix, SLC 500 and PLC5 Controller Vulnerability

Description

Released: October 26, 2012

Updated: August 2, 2013 <Update A>

On September 14, 2012, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 controller platform. Details relating to this vulnerability, including the existence of exploit code, have been made public by the researcher at various training events. At this time, no known exploit code relating to this vulnerability has been released to the public.

On October 2, 2012 Rockwell Automation independently initiated and maintained direct contact with the researcher to obtain pertinent facts relating to this matter due to lack of sufficient details shared through ICS-CERT. We continue to work with the researcher directly and keep him apprised of the expanded scope of impact from his initial findings.

As a matter of course, Rockwell Automation expanded scope of this evaluation beyond the MicroLogix 1400 platform in order to determine if this same threat-vector has potential to impact other A-B controller platforms. Rockwell Automation has reproduced the vulnerability. Due to the breadth of platforms potentially affected, we have been conducting thorough evaluations to ensure completeness in our risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PLATFORMS
Rockwell Automation has determined the following A-B products are affected by this vulnerability:

MicroLogix 1100 controller
MicroLogix 1200 controller (all versions prior to 13.000)
MicroLogix 1400 controller
MicroLogix 1500 controller (all versions prior to 13.000)
SLC 500 controller platform
PLC5 controller platform

VULNERABILITY DETAILS

MicroLogix Controller Platform
The vulnerability in the MicroLogix controller platform occurs due to inadequate write protection measures on the controller’s Status file.

The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

SLC 500 Controller Platform
The vulnerability in the SLC 500 controller platform occurs when the controller’s Status file property is not set to "Static," thereby allowing changes to the file contents.

When the SLC 500’s Status file is not configured to "Static," the SLC 500 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

PLC5 Controller Platform
The vulnerability in the PLC5 controller platform occurs when the controller’s "Password and Privileges" feature is disabled.

When the Passwords and Privileges feature of the PLC5 controller is not enabled, the PLC5 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

RISK MITIGATIONS

MicroLogix Controller Platform

<Begin Update A>

Product

Recommended Action

MicroLogix 1100 controller

Upgrade product firmware to release 13.000 or greater

http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

MicroLogix 1200 controller

Upgrade product firmware to release 13.000 or greater

http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

MicroLogix 1400 controller

Upgrade product firmware to release 14.000 or greater

http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

MicroLogix 1500 controller

Upgrade product firmware to release 13.000 or greater

http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

<End Update A>

In addition to the above product-level mitigations, Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

5. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

We will communicate additional mitigation strategies to our concerned customers should more direct product-level mitigations be developed that can further reduce associated risk from this vulnerability.

SLC 500 Controller Platform
Remote attempts to write data to the SLC 500 platform’s Status file are ignored and discarded by setting the controller’s Status file properties to "Static" via RSLogix 500 software.

Rockwell Automation recommends where possible that the Status file "Static" configuration setting be enabled to reduce the likelihood of successful exploitation of the vulnerability. The "Static" file property setting is configured in the Status File Properties page of RSLogix 500 software.

PLC5 Controller Platform
Remote attempts to write data to the PLC5 platform’s Status file are ignored and discarded by using the controller’s "Password and Privileges" feature, configured via RSLogix 5 software.

Rockwell Automation recommends where possible that the Passwords and Privileges feature be enabled to reduce the likelihood of successful exploitation of the vulnerability.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

High
PN759 | PN759 | FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability
Published Date:
June 28, 2013
Last Updated:
June 28, 2013
Products:
FactoryTalk Linx / RSLinx Enterprise
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Description

April 5, 2013

Updated: June 28, 2013

Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based
Security (www.riskbasedsecurity.com) identified vulnerabilities that affect a software component of the
FactoryTalk™ Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise
software (LogReceiver.exe and Logger.dll). These vulnerabilities have been confirmed to be remotely
exploitable which can lead to termination of affected software services and Denial of Service conditions.

To date, Rockwell Automation is not aware of any known cases of successful exploitation of these
vulnerabilities in operational systems. Furthermore, we are not aware of publicly available proof of
concept exploit code.

Rockwell Automation worked directly with Mr. Eiram to verify his findings, determine root cause and
validate the resulting software patches being issued for the FactoryTalk Services Platform and RSLinx
Enterprise software. Given the company’s focus on continuous improvement, added steps are being taken to
further enhance the development and testing processes associated with these products. As a result,
additional product hardening enhancements have been included in the referenced software patches and will
continue to be deployed via forthcoming product releases.

AFFECTED PRODUCTS

  • All FactoryTalk-branded software, including CPR9-SR0 through SR6
  • All RSLinx Enterprise software, prior to and including CPR9 and CPR9-SR1 through SR6

VULNERABILITY DETAILS AND IMPACTS

FACTORYTALK SERVICES PLATFORM
(RNADiagnostics.dll)

The software components exhibit a vulnerability as a result of missing input validation and improper
exception handling with streaming data. A specially crafted packet sent to TCP port 5241 will result in
a crash of the RsvcHost.exe service. A successful attack will result in the following:

  1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
  2. Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe
    diagnostic service.

The vulnerability can be exploited remotely from a network-based attack; however, no possibility of
malicious code injection or escalation of privilege on the host machine is known to result from
successful exploitation. There is also no indication that exploitation will directly disrupt operation
of a Rockwell Automation programmable controller, operator interface or other networked device connected
elsewhere in the local control system.

RSLINX ENTERPRISE SOFTWARE
(LogReceiver.exe and Logger.dll)

These software components exhibit a vulnerability as a result of a logic error in the service’s handling
of incoming requests on UDP port 4444 (user-configurable, but not enabled by default) of zero or large
byte datagrams. When successfully exploited, the vulnerability will cause the thread receiving data to
exit, resulting in the service silently ignoring further incoming requests. A successful attack will
result in two respective conditions:

  1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.
  2. Crash condition that disrupts further execution of the LogReceiver.exe

The vulnerability can be exploited remotely with the potential for code injection; however, no
possibility of escalation of privilege on the host machine is known to result from successful
exploitation. Although theoretical, a possibility of remote code execution has been identified. There
is also no indication that exploitation will directly disrupt operation of a Rockwell Automation
programmable controller, operator interface or other networked device connected elsewhere in the local
control system.

< Update Start>

As a result of additional analysis conducted by Risk Based Security, Inc. of the LogReceiver.exe service, additional enhancements have been made to the LogReceiver.exe to further increase resiliency of the service.

< Update End >



RISK MITIGATION

Software patches for affected FactoryTalk Services Platform and RSLogix Enterprise software are being
released to mitigate associated risk:

Product Description

Affected Versions

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4,

Upgrade to FTSP CPR9-SR5 or newer

CPR9-SR5

Apply patch: AID#522048

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522048

CPR9-SR5.1

Apply patch: AID#522049

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522049

CPR9-SR6

Apply patch: AID#522052

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522052

Product Description

Affected Versions

Recommendations

RSLinx Enterprise

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4,

Upgrade to RSLinx CPR9-SR5 or newer

CPR9-SR5

Apply patch: AID# 544798

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/544798

Update: AID# 534705 has been replaced with AID: 544798 which includes additional security enhancements.

CPR9-SR5.1

Apply patch: AID# 545535

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545535

Update: AID# 537302 has been replaced with AID: 545535 which includes additional security enhancements.

CPR9-SR6

Apply patch: AID#545537

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545537

Update: AID# 535962 has been replaced with AID: 545537 which includes additional security enhancements.

Corrective actions have been taken to help ensure subsequent software versions of FactoryTalk Services
Platform, including FactoryTalk Diagnostics, and RSLinx Enterprise will remain free of this
vulnerability.

In addition to applying the above patches, to help further reduce the likelihood of compromise and the
associated security risk, Rockwell Automation recommends the following immediate mitigation strategies.
When possible, multiple strategies should be employed simultaneously:

  1. The RNADiagReceiver.exe service should only run on servers that will receive diagnostics from PanelView
    Plus terminals. It is advisable to disable this service via Microsoft Windows Service Control Panel for
    servers that do not require this service.
  2. Configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of
    the ICS system:
  • 1330
  • 1331
  • 1332
  • 4241
  • 4242
  • 4445
  • 4446
  • 5241
  • 6543
  • 9111
  • 60093
  • 49281

We also recommend concerned customers remain vigilant and continue to follow security strategies that
help reduce risk and enhance overall control system security. Where possible, we suggest you apply
multiple recommendations and complement this list with your own best-practices:

  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to
    individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for
    comprehensive information about implementing validated architectures designed to deliver these measures.
  2. Restrict physical and electronic access to automation products, networks and systems to only those
    individuals authorized to be in contact with control system equipment and perform product firmware
    upgrades to that equipment.
  3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

Concerned customers are encouraged to continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information
relating to this matter.

For more information and for assistance with assessing the state of security of your existing control
system, including improving your system-level security when using Rockwell Automation and other vendor
controls products, you can visit the Rockwell Automation Security Solutions web site at
http://www.rockwellautomation.com/solutions/security

KCS Status

Released

PN758 | PN758 | Stratix 5700, 8000 and 8300 Weak Password Vulnerability
Published Date:
April 02, 2013
Last Updated:
April 02, 2013
Products:
Ethernet/IP Network
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Stratix 5700, 8000 and 8300 Weak Password Vulnerability

Description

April 2, 2013 - version 1.0

Rockwell Automation has become aware of a weak password protection implementation affecting Allen-Bradley brand Stratix™ managed Ethernet switch firmware. This weakness affects Stratix 5700, 8000 and 8300 managed switches products that contain particular versions of IOS® firmware that employ a Type 4 (SHA256) cryptographic password hash algorithm.

Due to an implementation issue in affected IOS versions, a user-provided password that has been hashed using the IOS Type 4 algorithm implementation is less resilient to brute-force attacks than a Type 5 hashed password of equivalent complexity. Successful exploitation of this weakness can lead to unauthorized access to the product.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in Stratix 5700, 8000 or 8300 products. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS
The following Stratix managed Ethernet switches are affected:

  1. Stratix 5700 firmware release 15.0(1)EY1. This firmware ships on all Stratix 5700 catalog items.
  2. Stratix 8000 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8000. It would reside on a Stratix 8000 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
  3. Stratix 8300 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8300. It would reside on a Stratix 8300 only after the product’s initial shipment and only if intentionally downloaded to the hardware.

To determine if a Stratix 8000 or Stratix 8300 is using the above firmware, you can reference the software field located on the dashboard of Device Manager or the IOS Release field on the switch status tab located in the RSLogix 5000 Stratix Add on Profile.

RISK MITIGATION
For details and recommended action to mitigate this security vulnerability in products that contain the affected IOS, go to the following Cisco web site.

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

  1. Where feasible, use a unique and complex password for products so as to help reduce the risk that multiple products could be compromised as a result of a single password becoming learned.
  2. Where feasible, adopt password management practices to periodically change product passwords to help mitigate risk for passwords to remain usable for an extended period of time.
  3. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  5. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Critical
PN561 | PN561 | Client Software Authentication Security Vulnerability in MicroLogix™ Controllers
Published Date:
March 19, 2013
Last Updated:
March 19, 2013
Products:
MicroLogix Controllers
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Client Software Authentication Security Vulnerability in MicroLogix™ Controllers

Description

Original disclosure: December 18, 2009

Updated: January 20, 2010

Updated: March 19, 2013 - version 1.0 (see below)

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Details of this vulnerability are as follows:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept data communications between the product and any authorized programming and configuration client to RSEmulate the role of a trusted software client to potentially make unauthorized changes to the Product’s operation.

<START UPDATE>

Added: 20 Jan 2010

RISK MITIGATION

Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful exploitation of the vulnerability.

MicroLogix 1400

Catalog Number

Description

Affected Products

Corrective Firmware

1766-L32xxxx

MicroLogix 1400 controller

Series B FRN 11 or earlier

FRN 12 or higher

Current firmware for MicroLogix can be obtained here:

http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

<END UPDATE>

<START UPDATE>

Added: 19 March 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

<END UPDATE>

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

  1. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
  1. Enable static protection on all critical data table files to prevent any remote data changes to critical data.
  1. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  1. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

In addition to these immediate risk mitigation strategies, Rockwell Automation is addressing this potential security vulnerability in the Product and associated programming and configuration software. Lastly, Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN690 | PN690 | EtherNet/IP™ Product Vulnerabilities
Published Date:
January 03, 2013
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6439, CVE-2012-6441, CVE-2012-6442 , CVE-2012-6438, CVE-2012-6437
Products:
Ethernet/IP Network
CVSS Scores:
10.0, 7.8, 8.5
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Introduction

EtherNet/IP™ Product Vulnerabilities

Description

 

January 3, 2013 - version 1.0

Update to January 31, 2012

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley 1756-ENBT communication module. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

<Update A>

Rockwell Automation has released firmware to address two of the product vulnerabilities affecting specific controller, communication modules and adapters.

<Update A>

 

VULNERABILITY DETAILS

CVE-2012-6439

A Denial of Service (DOS) condition may result when an affected product receives valid CIP message that changes the product’s configuration and network parameters. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system.
<Update B>

Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.

 

CVE-2012-6441

An Information Disclosure of product-specific information unintended for normal use results when the affected product receives a specially crafted CIP packet.

<Update B>

 

CVE-2012-6442 

A Denial of Service (DOS) condition results when affected product receives a valid CIP message that instructs the product to reset. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a temporary disruption of communication to other products in controller platform or system.

<Update C>

Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.

<Update C>

CVE-2012-6438

A Denial of Service (DOS) condition and a product recoverable fault results when affected product receives a malformed CIP packet. Receipt of such a message from an unauthorized source has will cause a disruption of communication to other products in controller platform or system. Recovery from a successful exploitation of this vulnerability requires the product to be reset via power cycle to the chassis or removal-reinsertion of module.

CVE-2012-6437

The potential exists for the affected product to accept an altered or corrupted firmware image during its upgrade process that may render the product inoperable or change its otherwise normal operation. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the product for other malicious activities.

 

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:

CVE-2012-6439

  • All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.

 

<Update D>

CVE-2012-6441

  • 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules

Note: Further evaluation has reduced the list of products affected by this vulnerability.

<Update D>

 

CVE-2012-6442 

  • All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.

 

CVE-2012-6438

  • 1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
  • CompactLogix L32E and L35E controllers
  • 1788-ENBT FLEXLogix adapter
  • 1794-AENTR FLEX I/O EtherNet/IP adapter

<Update E>

Note: Evaluations continue to determine additional products that may be affected.

<Update E>

 

CVE-2012-6437

  • Products that do not support Rockwell Automation digital signature-based firmware validation

RISK MITIGATION

To help reduce the likelihood of compromise and the associated security risks, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

<Update F>

CVE-2012-6439 and CVE-2012-6442  Mitigations

1. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

2. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the specific vulnerabilities:

  • CIP Ethernet configuration service

  • Messages sent to CIP Class code: 0xc0 with Service code: 0x97 service

  • CIP reset service

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

Vulnerabilities CVE-2012-6441 and CVE-2012-6438: Mitigations

Communication Modules and Adapters

Catalog Number

Description

Affected Products

New Firmware

1756-ENBT

EtherNet/IP modules for ControlLogix platform

All firmware revisions prior to 6.005

6.005

1756-EWEB

Ethernet Webserver module for ControlLogix platform

All firmware revisions prior to 4.016
Note: Updated 2 Jan 2013

4.016
Note: Updated 2 Jan 2013

1768-ENBT

EtherNet/IP modules for CompactLogix platform

All firmware revisions prior to 4.004
Note: Updated 2 Jan 2013

4.004
Note: Updated 2 Jan 2013

1768-EWEB

Ethernet Webserver module for CompactLogix platform

All firmware revisions prior to 2.005

2.005
Note: Updated 3 Jan 2013

1788-ENBT

FLEXLogix EtherNet/IP adapter

Evaluations continue

Evaluations continue

Controllers

Catalog Number

Description

Affected Products

New Firmware

CompactLogix L32E

CompactLogix Controller

All firmware revisions prior to 20.012

20.012

CompactLogix L35E

CompactLogix Controller

All firmware revisions prior to 20.012

20.012

Distributed I/O

1794-AENTR

FLEX I/O EtherNet/IP adapter

Evaluations continue

Evaluations continue
Find Downloads at:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx

 

CVE-2012-6437: Mitigations

At this time, Rockwell Automation continues to evaluate the technical feasibility of enhancing the 1756-ENBT to include a digital signature validation mechanism on firmware.

In lieu of this capability, concerned customers are recommended to employ good security design practices in their network architecture and also consider using the more contemporary 1756-EN2T EtherNet/IP communication modules for the ControlLogix platform.

The capability for the 1756-EN2T to validate digital signatures has been introduced in the below product release:

Catalog Number

Description

New Firmware

1756-EN2T

EtherNet/IP modules for ControlLogix platform that support digital signature validation on firmware

5.028

Find Downloads at:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx

 

Other Rockwell Automation products:

1. Obtain product firmware only from trusted manufacturer sources.

2. Use only Rockwell Automation issued tools to perform product firmware upgrades.

3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

4. Refer to AID:433319 and AID:43320 for similar, previously released advisories that include recommended similar mitigation strategies.

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

<Update F>

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.

3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.

6. Make sure that software and control system device firmware is patched to current releases.

7. Periodically change passwords in control system components and infrastructure devices.

8. Where applicable, set the controller key-switch/mode-switch to RUN mode

9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

.

KCS Status

Released

 

PN753 | PN753 | Vulnerability claims relating to FactoryTalk Services and RSLogix 5000 Software
Published Date:
November 29, 2012
Last Updated:
November 29, 2012
Products:
Logix Designer
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Vulnerability claims relating to FactoryTalk Services and RSLogix 5000 Software

Description

November 29, 2012 - version 1.0

On November 25, 2012, Exodus Intelligence, Inc. (Exodus) disclosed a limited amount of information relating to purported vulnerabilities in some Rockwell Automation products. In addition, they identified associated risks relating to third-party software that is included with the Rockwell Automation product installation. As a result of this information disclosure, Rockwell Automation’s Security Taskforce independently reached out to Exodus to request greater details to help us validate these claims and assess risk so we could rapidly establish a responsible risk mitigation strategy for our customers.

On November 28, 2012, Exodus provided greater details of their findings directly to Rockwell Automation. This included specific information about affected products, product versions and also proof-of-concept exploitation code that demonstrates the particular product weaknesses. With our receipt of this information, Rockwell Automation launched a detailed technical evaluation of the claims and we further expanded our preparations to support our customers in risk remediation activities, if such actions should become necessary.

As a result of Rockwell Automation’s technical evaluations, the vulnerability claims made by Exodus have been validated and verified to affect an older version of a component of the Rockwell Automation FactoryTalk services platform. The particular affected component had been previously identified and has since evolved to already remove any risk associated with Exodus’ findings.

Rockwell Automation’s Security Taskforce evaluations specifically determined:

  • One vulnerability identified by Exodus was a re-discovery of a previous known anomaly in a component version of a software service. Rockwell Automation addressed this vulnerability via software patch first issued on October 4, 2011. In addition to releasing the patch, specific process improvement steps were put in place to remove risk of re-introducing the anomaly in subsequent product releases.

  • A second vulnerability identified by Exodus had already been internally identified and isolated by Rockwell Automation as a result of our ongoing code review processes within our Security Development Lifecycle (SDL). This vulnerability was similarly addressed in the same above product patch issued on October 4, 2011. Similar process improvement steps were put in place at that time to avoid potential to carry the anomaly forward in newer software releases.

    For specifics relating to the publicized vulnerabilities and resulting patch, refer to: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144
  • Exodus’ observation is accurate that Rockwell Automation software installations sometimes include third-party content such as Adobe® Reader. Such software is often included as a convenience for customers who may lack immediate access to the Internet to obtain a PDF viewer necessary to read certain electronic documentation included with our products.

    In July 2008, at the time of the particular Rockwell Automation RSLogix 5000 product release evaluated by Exodus, Adobe® Reader Version 8 was a current version of PDF reader software. Since our initial product release, our subsequent software releases and master installation files have undergone numerous incremental and major revisions. These incremental product releases lead to the ongoing creation of newer software master installs which, where possible include more-current third-party content such as Adobe Reader. A customer who acquires today the particular 2008 release of RSLogix 5000 software from Rockwell Automation receives a software installation that includes more contemporary versions of third-party content, e.g. Adobe Reader X (Version 10).

    We continue to encourage all customers to be proactive and stay current where possible with software patches and new product releases for all software used in their control systems.

CONTINUOUS IMPROVEMENT AND MATURITY MODEL

Rockwell Automation shares in the same concerns as our customers, product users, security research community and the public at large with regard to the industrial control system security.

  • We continue to make significant investment in our product development and testing processes and also provide relevant product and system security features to our customers to help protect assets, information and operational integrity.
  • Our internal Security Development Lifecycle (SDL) continues to mature and demonstrate tangible value to help proactively address potential product and system design weaknesses.
  • We parallel our product security developments, testing and overall SDL investments with added lessons learned from our formal approach to product security Threat Management and Incident Response.

These combined efforts and others result in a maturity model allowing for continuous improvements in our contemporary solution that successfully enhance product and system security. Where technically feasible, some of these same improvements are also made available for many legacy products and systems too.

ADDED RECOMMENDATIONS FOR RISK MITIGATION

Rockwell Automation advocates that all industrial control system asset owners invest to assess security risks in their automation systems and take appropriate measures to reduce known risks to an acceptable level. A balance of both technical and non-technical measures comprises a successful Security Program, therefore risk-reducing compensating controls should include a combination of careful product selection, network and infrastructure design and installation, maintenance and upgrade planning and consistent personnel training complemented by structured policies and procedures for employees to follow.

In particular, keeping software and hardware products and system components up to date remains a key imperative to help maintain and enhance the security posture of industrial control systems. The following links provide basic foundational information on security best practices proven suitable for all control systems:

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Medium
PN750 | PN750 | FactoryTalk® Historian SE Security Vulnerability from PI OPC DA software interface
Published Date:
November 02, 2012
Last Updated:
November 02, 2012
Products:
FactoryTalk Historian SE
CVSS Scores:
6.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk® Historian SE Security Vulnerability from PI OPC DA software interface

Description

November 2, 2012 - version 1.0

In response to the ICS-CERT Advisory ICSA-12-201-01 – OSISOFT PI OPC DA INTERFACE BUFFER OVEFLOW, Rockwell Automation’s Security Taskforce conducted a thorough evaluation of Rockwell Automation products that include, or make use of the affected OSIsoft PI OPC DA interface software.

AFFECTED PRODUCTS
As a result of Rockwell Automation’s evaluation, we have determined the following Rockwell Software-brand product includes, and makes use of the OSIsoft PI OPC DA software interface:

FactoryTalk™ Historian SE versions 2.10.00, 2.20.00 and 3.00.00

VULNERABILITY DETAILS
Per ICSA-12-201-01, OSIsoft, LLC proactively disclosed the presence of "a stack-based buffer overflow in the PI OPC DA interface software that could cause the software to crash or allow a remote attacker to execute arbitrary code." Furthermore, "Successful exploitation of this vulnerability could allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system."

Rockwell Automation includes and installs the PI OPC DA interface software with FactoryTalk™ Historian SE; however, this interface is NOT configured and it is NOT running by default. When the PI OPC DA interface software that has been included with the install is used for OPC communications, it is similarly susceptible to the above mentioned stack-based vulnerability and the system-wide effects of successful exploitation of the weakness.

RISK MITIGATION
ICSA-12-201-01 states, "OSIsoft has published a customer notification, and has released a product update that resolves this vulnerability." This release applies specifically to OSIsoft PI OPC DA software.

Rockwell Automation has validated this OSIsoft product update and taken similar measures to proactively release a product update for affected Rockwell Software FactoryTalk Historian SE versions. The software update and associated installation instructions can be found in the Rockwell Automation Knowledgebase at:

AID: 509721 - https://rockwellautomation.custhelp.com/app/answers/detail/a_id/509721

NOTE: We recognize that not all FactoryTalk Historian SE users employ the OPC interface; nonetheless, Rockwell Automation still recommends the above software update be applied to affected software to help mitigate potential future risk should the interface software be used at a later time.

In addition to applying the above software update to affected products, Rockwell Automation’s Security Taskforce recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/security

KCS Status

Released

High
PN691 | PN691 | Rockwell Automation Logix™ Controller Vulnerabilities
Published Date:
July 18, 2012
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6436, CVE-2012-6435
Products:
ControlLogix, CompactLogix, GuardLogix, SoftLogix
CVSS Scores:
7.8
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Introduction

 

Description

July 18, 2012 - version 1.0

Update to December 4, 2013

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley ControlLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

<Update A>

Vulnerability #1 has been addressed in Logix release V16.023 / V20.011 and higher.

Controller firmware issued with Logix release V16.023 / V20.012 and higher addresses the product vulnerability (see Vulnerability #2 below) in affected ControlLogix and GuardLogix controllers.

<Update A>

 

VULNERABILITY DETAILS

CVE-2012-6436

A Denial of Service (DOS) condition results when an affected controller receives a malformed CIP packet that causes the controller to enter a fault state requiring the reloading of the user program. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.

CVE-2012-6435

A Denial of Service (DOS) condition results when an affected controller receives a valid CIP message that instructs the controller to stop logic execution and enter a fault state requiring the reloading of the user program. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.

 

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:

CVE-2012-6436
Version 18 and prior releases of ControlLogix, CompactLogix, GuardLogix and SoftLogix

NOTES: This vulnerability does not exist in controller products using V19 and higher.

 

CVE-2012-6435

  • Version 19 and prior releases of CompactLogix and SoftLogix controllers
  • Version 20 and prior releases of ControlLogix and GuardLogix controllers

 

RISK MITIGATION

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

CVE-2012-6436 Mitigation

  • Where possible, we recommend users upgrade affected products to Logix release V20 and higher.

 

CVE-2012-6435 Mitigations

1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix release V20 and higher.

<Update B>

2. Where possible, upgrade ControlLogix and GuardLogix to Logix firmware release v20.012 or higher.

<Update B>

3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

4. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the CIP stop service.

NOTE: Rockwell Automation continues to investigate and evaluate other ControlLogix controller product-level strategies to address this vulnerability.

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.

3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.

6. Make sure that software and control system device firmware is patched to current releases.

7. Periodically change passwords in control system components and infrastructure devices.

8. Where applicable, set the controller key-switch/mode-switch to RUN mode

9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

.

KCS Status

Released

 

Critical
PN692 | PN692 | MicroLogix™ 1100 and 1400 Controller Vulnerability
Published Date:
July 18, 2012
Last Updated:
January 13, 2025
CVE IDs:
CVE-2012-6440
Products:
MicroLogix 1100 and 1400 controller
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
More Details Less Details Chevron DownChevron Down

 

Introduction

MicroLogix™ 1100 and 1400 Controller Vulnerability

Description

July 18, 2012 - version 1.0

Update to May 4, 2012

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley MicroLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

<Update A>

Rockwell Automation released firmware for the MicroLogix 1400 controller in June 2012 to address the identified product vulnerability in a potential replay attack directed at the product’s webserver.

Due to technical limitations in the MicroLogix 1100 platform, to reduce associated risk with this vulnerability Rockwell Automation recommends concerned customers follow good industrial control system design and security practices including those listed below in RISK MITIGATION.

 

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability

  • MicroLogix 1100
  • MicroLogix 1400

 

CVE-2012-6440

The webserver password authentication mechanism employed by the affected products is vulnerable to a Man-in-the-Middle (MitM) and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s webserver to view and alter product configuration and diagnostics information. Recovery from successful exploitation of this vulnerability may require the product to be reset to its factory-default settings.

 

RISK MITIGATION

Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful replay attack targeting the product’s webserver.

 

MicroLogix 1400

Catalog Number

Description

Affected Products

Corrective Firmware

1766-L32xxxx

MicroLogix 1400 controller

Series B FRN 11 or earlier

FRN 12 or higher

Current firmware for MicroLogix can be obtained here:

http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

<Update A>

 

MicroLogix 1100 and 1400

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

1. Where possible for affected products, disable the web server in the Ethernet Channel 1 configuration in RSLogix 500 software. This is done by unchecking the HTTP Server Enable checkbox (checked by default) and power cycling the controller.

2. Change all default Administrator and Guest passwords.

3. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend the product’s firmware be upgraded to the most current version that includes enhanced protections including:

a. When a controller receives two consecutive invalid authentication requests from any HTTP client, the controller resets the Authentication Counter after 60 minutes.

b. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid Authentication packets until a 24-hour HTTP Server Lock Timer timeout.

WARNING/REMINDER: Upgrading the controller firmware clears the web server configuration. It is necessary to manually record the web server settings prior to a firmware upgrade so the configuration can be manually re-entered into the web server settings after the firmware upgrade is complete.

NOTE: The latest MicroLogix 1100 and 1400 firmware versions are posted at: http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

4. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend you configure User Accounts to only provide READ access to the product (e.g. do not configure READ/WRITE for Users). In addition, where possible exclusively access the product via User Accounts to minimize potential for a Replay attack to the Administrator’s account. User-administration is done through the product’s webserver.

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

3. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

4. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.

5. Make sure that software and control system device firmware is patched to current releases.

6. Periodically change passwords in control system components and infrastructure devices.

7. Where applicable, set the controller key-switch/mode-switch to RUN mode

8. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

Based on the outcome of our ongoing investigation, we will communicate relevant recommended mitigation strategies to our concerned customers.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

 

Medium
PN687 | PN687 | FactoryTalk™ Diagnostics Receiver Service Vulnerability
Published Date:
February 15, 2012
Last Updated:
February 15, 2012
Products:
FactoryTalk Services Platform
CVSS Scores:
5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

FactoryTalk™ Diagnostics Receiver Service Vulnerability

Description

February 15, 2012 - version 1.0

Update to January 31, 2012 - version 1.0

On January 17, 2012, Rockwell Automation was made aware of two security vulnerabilities in the FactoryTalk™ Diagnostics Receiver Service (RNADiagReceiver.exe) that if successfully exploited, may result in a Denial of Service condition.

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Allen-Bradley products are affected by these vulnerabilities:

  • RSLogix 5000 (versions 17, 18, 19, 20)
  • FactoryTalk Directory
  • FactoryTalk Alarms & Events
  • FactoryTalk View SE
  • FactoryTalk Diagnostics
  • FactoryTalk Live Data
  • FactoryTalk Server Health

VULNERABILITY DETAILS

A successful attack occurs when the RNADiagReceiver.exe service receives a datagram on UDP port 4445 that exceeds 2000 bytes, or the service receives a specifically crafted datagram of a valid size. A successful attack to the service will result in two respective conditions:

1. Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.

2. Crash condition that disrupts further execution of the RNADiagReceiver.exe diagnostic service.

The disruption or failure of the service leads to the potential for disruption to the operation of any software that depends on the RNADiagReceiver.exe service. The vulnerability can be exploited remotely from a network-based attack; however, the Security Taskforce has determined that there is no known possibility of malicious code injection and no known escalation of privilege on the host machine that results from successful exploitation.

ADDRESSING THE RISK

Rockwell Automation has released a specific software patch to address this vulnerability in software products that incorporate the RNADiagReceiver.exe service:

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/471091

ADDITIONAL RISK MITIGATION

In addition to applying the above patch, Rockwell Automation recommends concerned customers configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

• 1330
• 1331
• 1332
• 4241
• 4242
• 4445
• 4446
• 6543
• 9111
• 60093
• 49281

We also recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

Concerned customers should continue to monitor Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to security in Rockwell Automation products and systems.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

PN675 | PN675 | RSLogix 5000 Software Potential Denial-of-Service Vulnerability
Published Date:
September 13, 2011
Last Updated:
September 13, 2011
Products:
Logix Designer
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLogix 5000 Software Potential Denial-of-Service Vulnerability

Description

September 13, 2011 - version 1.0

This advisory has been replaced with AID# 456144

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix 5000 software that if successfully exploited, may result in a Denial of Service condition.

We are in the process of validating the potential vulnerability in order to determine possible risk, scope, impacts, and exposure to our customers if it is confirmed.

Based on the outcome of our ongoing investigation, if the vulnerability is confirmed, we will communicate a recommended mitigation strategy to our concerned customers as soon as possible.

Until a specific mitigation strategy is made available, we recommend concerned customers remain vigilant and continue to apply the following security strategies that help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN1643 | PN1643 | 1756-EN2TR and 1756-EN3TR Open UDP Port Vulnerability
Published Date:
September 12, 2011
Last Updated:
September 12, 2011
Products:
1756 - EN2TR and 1756-EN3TR
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – September 12, 2011

Affected Products

Affected Product First Known in firmware revision Corrected in firmware Revision
1756-EN2TR (Series A, B) 4.002 - 4.003 4.004
1756-EN3TR (Series A) 4.002 – 4.003 4.004

Additional Notes

Excluding the above product releases, no other released versions of the 1756-EN2TR or 1756-EN3TR communication interfaces exhibit this potential vulnerability. Version 4.002 and 4.003 of the 1756-EN2T, 1756-EN2F, and 1756-EN2TXT do not have this vulnerability.

Vulnerability Details

Rockwell Automation has identified a vulnerability in specific shipping versions of the 1756-EN2TR and 1756-EN3TR EtherNet/IP communication interfaces for the ControlLogix platform. Due to an oversight in the product testing and release process, these particular product versions and accompanying product firmware mistakenly have their 17185/UDP communication port enabled.

The 17185/UDP communication port is intended for exclusive use by a vendor’s product development and test teams in order to support pre-release product development and testing activities. The communication port is not intended, nor does it offer any value to control system designers and product users.

This open UDP port is classified as a potential vulnerability since an unauthenticated user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation. This vulnerability is remotely exploitable.

CVSS Base Score: 7.5/10 (high)
CVSS 2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Rockwell Automation is taking proactive, corrective actions in our product testing and release processes to help prevent subsequent reoccurrences of this matter.

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and continue to follow good security practices.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Medium
PN670 | PN670 | RSLogix 5000 .ACD Project File Memory Corruption Anomaly
Published Date:
July 26, 2011
Last Updated:
July 26, 2011
Products:
Logix Designer
CVSS Scores:
5.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLogix 5000 .ACD Project File Memory Corruption Anomaly

Description

July 26, 2011 - version 1.0

An anomaly affecting specific versions of RSLogix 5000 software has been brought to Rockwell Automation’s attention by independent researchers and ICS-CERT. The identified anomaly relates to how RSLogix 5000 software, versions 19 and earlier, processes its native format .ACD project files.

Details of this anomaly are as follows:

The potential exists for affected versions of RSLogix 5000 software to accept a maliciously altered ACD project file that can result in an integer overflow condition, which can in turn cause the RSLogix 5000 software to terminate unexpectedly. In addition, the possibility for the injection of malicious software during this condition has not been definitively ruled out.

This anomaly affects all RSLogix 5000 releases up to and including Version 19.

There are no known exploits involving this anomaly. Successful exploitation would require social engineering to introduce and convince a user to open a maliciously altered ACD file. Additionally, there is no known proof-of-concept code or means to demonstrate results any more serious than the unexpected termination of the RSLogix 5000 application. Rockwell Automation’s technical evaluation and testing confirm the presence of this anomaly, but similarly indicates successful exploitation as a security vulnerability remains only theoretically possible. Furthermore, it has been confirmed that no escalation of privilege can result from successful exploitation of this anomaly.

Mitigation Strategy:

This anomaly will be addressed in the next release of RSLogix 5000, Version 20, and subsequent releases thereafter.

Additional recommendations to mitigate potential risk:

• Do not run RSLogix 5000 software in Administrator Mode.

• Only open ACD files from known and trusted sources.

• Store and transmit trusted ACD files in a secure manner and protect them as assets.

• Consider digitally signing trusted ACD files to authenticate their origin and indicate any file tampering.

Note: RSLogix 5000 software does not include a means to digitally sign ACD files; however, there are commercially available tools that can be used such as PGP, GnuPG to apply signatures to ACD and other files.

To help further enhance overall control system security, Rockwell Automation also recommends the following strategies. When possible, multiple strategies should be employed simultaneously:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to enhance security and reduce the likelihood of file tampering.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security .

KCS Status

Released

High
PN656 | PN656 | RSLinx Classic OPC Automation ActiveX component vulnerability could allow arbitrary code execution
Published Date:
June 28, 2011
Last Updated:
June 28, 2011
Products:
RSLinx Classic (Single Node
CVSS Scores:
8.4
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

June 28, 2011 - Version 1.0

A vulnerability has been discovered in the RsiOPCAuto.dll version 1.1.8.0 ActiveX component included with specific versions of RSLinx Classic that can allow for the execution or arbitrary code. This vulnerability affects the following:

  • RSLinx Classic version 2.54 and earlier

Details of this vulnerability are as follows:

The vulnerability results from a boundary error in the RsiOPCAuto.OPCServer ActiveX control. When a specific parameter in this control receives an excessively long debug string, a buffer overflow condition can allow for the execution of arbitrary and potentially malicious code.

There are currently no known active exploits of this vulnerability.

To help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategy:

Affected Software

Upgrade or patch software
RSLinx Classic version 2.54 and earlier that include any version of RsiOPCAuto.dll Option 1 -->

Recommended:

RSLinx Classic version 2.55

NOTE: RSLinx Classic versions 2.55 and higher use OpcDAauto.dll from OPC Foundation and will no longer use RsiOPCAuto.dll. Custom software relying on RsiOPCAuto.dll will be affected.
Option 2 --> If unable to upgrade to version 2.55:

Apply software patch for RsiOPCAuto.dll to address this vulnerability in RSLinx Classic version 2.54 and all prior versions. The patch is available in the following technote: Answer ID 449288

NOTE: Rockwell Automation recommends all users applying this RSLinx Classic patch plan to upgrade to RSLinx Classic version 2.55 at first convenience given RSLinx Classic’s transition from RsiOPCAuto.dll to OpcDAauto.dll.

Rockwell Automation remains committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN657 | PN657 | Opening a corrupted FactoryTalk Diagnostics Viewer Configuration file (*.ftd) could cause arbitrary code execution
Published Date:
June 24, 2011
Last Updated:
June 24, 2011
Products:
FactoryTalk View SE, FactoryTalk Transaction Manager, FactoryTalk View ME
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Description

June 24, 2011 - Version 1.0

A vulnerability has been discovered in some specific versions of the FactoryTalk Diagnostics Viewer that could allow the execution of arbitrary code by opening a corrupted FactoryTalk Diagnostics Viewer Configuration file (*.ftd). This vulnerability would require some form of social engineering to convince a user of the FactoryTalk Diagnostics Viewer to open the corrupted (*.ftd) file.

The vulnerability has been confirmed to affect only the versions of the FactoryTalk Diagnostics Viewer v2.10.x (CPR9 SR2) and earlier.

Details of this vulnerability are as follows:

This issue is caused by a vulnerability in Microsoft’s ATL library code (MS09-035). Vendors were required to rebuild with the updated development tools and re-release their products in order to resolve this issue. This potential vulnerability has been confirmed to affect only the versions of the FactoryTalk Diagnostics Viewer v2.10.x (CPR9 SR2) and earlier. The FactoryTalk Diagnostics Viewer v2.30.00 (CPR9 SR3) and later utilize an updated version of Microsoft library code and does not exhibit this issue.

This vulnerability is not remotely exploitable. There are currently no known active exploits of this potential vulnerability.

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following mitigation strategy:

Concerned customers should upgrade to FactoryTalk Diagnostics Viewer (CPR9 SR3) or greater. The FactoryTalk Diagnostics Viewer v2.30 is not available as a standalone installation package. It is included and installed as a part of the FactoryTalk Services Platform v2.30 (CPR9 SR3). Please reference AID 42682 - "Rockwell Automation Software Product Compatibility Matrix" to make sure you understand any dependencies and/or compatibility issues that may exist with installation of this version of the Services Platform.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Attachments

KCS Status

Released

High
PN647 | PN647 | ControlLogix 1756-EWEB Enhanced Web Server FTP Server Security Vulnerability
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

ControlLogix 1756-EWEB Enhanced Web Server FTP Server Security Vulnerability

Description

June 15, 2011 - Version 1.0

Rockwell Automation has identified a security vulnerability in the ControlLogix 1756-EWEB Series A Enhanced Web Server (the "Product"). Details of this vulnerability are as follows:

If the FTP server on the Product is enabled, the Product can be caused to enter a faulted state if it is sent FTP commands with arguments larger than a certain size. When in this faulted state, the Product becomes unresponsive and nonfunctional. To return to the Product to its normal operating condition, the power to the Product must be cycled.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation.

Rockwell Automation plans to directly mitigate this vulnerability in a forthcoming Product firmware release currently anticipated in February, 2012.

To immediately help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:

  1. Disable the FTP server on the Product through its configuration screens. Refer to Rockwell Automation publication: Ethernet-UM527-EN-P (see Enable/disable Other Services section).
  2. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN648 | PN648 | ControlLogix 1756-EN2T EtherNet/IP Bridge Firmware Upgrade Security Vulnerability
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

ControlLogix 1756-EN2T EtherNet/IP Bridge Firmware Upgrade Security Vulnerability

Description

June 15, 2011 - Version 1.0

Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EN2T EtherNet/IP Bridge Module (the "Product"). This vulnerability affects the following products:

  • 1756-EN2T Series A; 1756-EN2T Series B; 1756-EN2T Series C

Details of this vulnerability are as follows:

The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

Rockwell Automation is currently planning to release enhanced firmware for the Product around February, 2012. This forthcoming firmware will include product-level firmware authentication and verification. This firmware release will be digitally signed. Once applied to the Product, any subsequent Product upgrades will require firmware that includes a valid Rockwell Automation digital signature for authentication purposes.

To immediately help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:

  1. Obtain product firmware only from trusted manufacturer sources.
  2. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  4. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN649 | PN649 | ControlLogix 1756-EWEB Enhanced Web Server Firmware Upgrade Security Vulnerability
Published Date:
June 15, 2011
Last Updated:
June 15, 2011
Products:
Ethernet/IP Network, 1756 ControlLogix I/O
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

ControlLogix 1756-EWEB Enhanced Web Server Firmware Upgrade Security Vulnerability

Description

June 15, 2011 - Version 1.0

Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EWEB Series A Enhanced Web Server Module (the "Product"). Details of this vulnerability are as follows:

The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:

  1. Obtain product firmware only from trusted manufacturer sources.
  2. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
  4. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these mitigation strategies, Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN646 | PN646 | RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability - May 24, 2011
Published Date:
May 24, 2011
Last Updated:
May 24, 2011
Products:
RSLinx Classic
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability

May 24, 2011

Description

Rockwell Automation has investigated a reported buffer overflow vulnerability in RSLinx Classic™ and has determined the following:

· The reported vulnerability was not in RSLinx Classic, but in a separate isolated executable, EDS Hardware Installation Tool (RSHWare.exe), which is installed by RSLinx Classic. This executable file is normally launched from the following menu location:

Rockwell Software RSLinx Tools EDS Hardware Installation Tool

· The reported vulnerability requires an authorized administrator to run the EDS Hardware Installation Tool after gaining physical access to the computer in order to load an improperly formatted EDS file.

· The reported vulnerability has no effect on RSLinx Classic’s intended operation, which is to allow client applications to communicate with controllers and/or other automation devices.

· A successful exploit of this vulnerability could allow an attacker to run arbitrary code on the target PC.

Customers who are concerned about this reported vulnerability should recognize that to exploit it would require gaining physical access to the target computer, a user with administrator privileges and execution of the EDS Hardware Installation Tool in order to load an improperly formatted EDSfile.

Given the details above, it is highly unlikely that an attacker would use the EDS Hardware Installation Tool to launch a malicious attack.

The reported vulnerability is present in version 1.0.5.1 and earlier versions of the EDS Hardware Installation Tool (RSHWare.exe). To determine the version installed, locate RSHWare.exe, right-click and select properties. Select the properties "Version" tab to view the file version.

Rockwell Automation recommends concerned customers take the following immediate steps to mitigate risk associated with the reported vulnerability:

1. Restrict physical access to the computer.

2. Establish policies and procedures such that only authorized individuals have administrative rights on the computer.

3. Obtain product EDS files from trusted sources (e.g. product vendor)

4. Apply the Rockwell Automation issued Patch

Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified version. Future releases of RSLinx Classic, starting with version 2.58 will include this modified version of the required files.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN641 | PN641 | Security vulnerability in password mechanism of MicroLogix™ 1100 and 1400 Controllers
Published Date:
May 17, 2011
Last Updated:
May 17, 2011
Products:
1763-L16xxx, 1766-L32xxx
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

Security vulnerability in password mechanism of MicroLogix™ 1100 and 1400 Controllers

Description

May 17, 2011 - Version 1.2

Rockwell Automation has identified a security vulnerability in specific versions of the MicroLogix™ family of programmable controllers. This vulnerability affects, and is limited to, the following MicroLogix 1100 and 1400 platforms:

  • 1763-L16xxx, 1766-L32xxxx

Details of this vulnerability are as follows:

A denial of service results from a successful attack against the password mechanism employed in specific versions of the MicroLogix 1100 and 1400 controller platforms when the controller’s HTTP Server is enabled. When versions of these products are targeted with a specific attack, the potential exists for these products to enter a predefined fault mode and reset their product configuratoin back to factory-default state.User-intervention is necessary to reprogram and reconfigure the controller.

A successful attack on specific versions of the MicroLogix 1100 and 1400 controllers has the potential to cause a Denial of Service (DOS), loss of product availability and disruption to both product and system operation.

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously.

  1. Upgrade all MicroLogix 1100 and 1400 controllers per the following table:

    Controller Platform

    Catalog Number

    Affected Firmware

    Upgrade controller to firmware version

    MicroLogix 1100

    1763-L16xxx

    FRN 9 or earlier

    -->

    FRN 10 or higher

    MicroLogix 1400

    1766-L32xxxx

    Series A FRN 6 or earlier

    Series B FRN 10 and earlier

    -->

    -->

    Series A FRN 7 or higher

    Series B FRN 11 or higher

    Current firmware for MicroLogix can be obtained here:

    http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html
  2. If there is no intention to use the controller’s HTTP server (i.e. web browser access), and the controller is connected to the network via Ethernet, prevent this potential compromise by unchecking HTTP Server Enable checkbox in the controller configuration settings available via RSLogix 500 or RSLogix Micro. Refer to publications 1763-um002_-en-p and 1766-um002_-en-p for more information on how to disable the HTTP Server (see Disable Web View).
  3. Where possible, disable the capability to perform unauthorized remote programming, configuration or flash upgrades to controllers over a network by placing the controller’s key switch into RUN mode.
  4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  5. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  6. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

Rockwell Automation remains committed to making additional security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High
PN1644 | PN1644 | Open UDP Port in 1756-ENBT EtherNet/IP™ Communication Interface
Published Date:
July 06, 2010
Last Updated:
July 06, 2010
Products:
1756-ENBT
CVSS Scores:
7.5
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Revision History
Revision Number
1.0
Revision History
Version 1.0 – July 6, 2010

Affected Products

Affected Product First Known in Firmware Revision Corrected in Firmware Revision
1756-ENBT (Series A) 3.26 3.9
1756-ENBT (Series A) 3.61 3.9

Vulnerability Details

Rockwell Automation has identified a potential vulnerability in some specific versions of the 1756-ENBT EtherNet/IP communication interface which shipped with an open 17185/UDP communication port meant to be used only for debugging purposes during the product development process.

This open UDP port is classified as a potential vulnerability since an unauthenticated remote user who gains access to the specific version of the product may be able to gain access to the product’s debugging information, disrupt its operation or potentially cause a denial of service, thereby affecting the product’s operation.

This potential vulnerability has been confirmed to affect only the listed versions of the 1756-ENBT EtherNet/IP communication interface for the ControlLogix controller platform.

CVSS Base Score: 7.5/10 (high)
CVSS 2.0 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

In conjunction with updating affected product firmware, customers who are concerned about unauthorized access to their Products can take additional immediate steps as outlined below to further reduce associated security risk from this potential vulnerability.

These same steps can also serve as a checklist to verify available security techniques are in place in a system’s configuration too. When possible, multiple strategies should be employed simultaneously.
  • Configure firewalls or access control lists (ACL) in the network infrastructure components (such as network firewall appliances and managed switches) to block access to the 17185/UDP port.
  • Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (such as a firewall, UTM devices, or other security appliance).
  • Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
  • Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and Control Networks. Refer to Reference Architectures for Manufacturing for comprehensive information about implementing validated architectures designed to deliver these measures.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Critical
PN570 | PN570 | RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability - March 3, 2010
Published Date:
March 03, 2010
Last Updated:
March 03, 2010
Products:
RSLinx Classic (Single Node
CVSS Scores:
9.3
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

Introduction

RSLinx Classic™ EDS Wizard Buffer Overflow Vulnerability

March 3, 2010

Description

Rockwell Automation has investigated a reported buffer overflow vulnerability in RSLinx Classic™ and has determined the following:

· The reported vulnerability was not in RSLinx Classic, but in a separate isolated executable, EDS Hardware Installation Tool (RSHWare.exe), which is installed by RSLinx Classic. This executable file is normally launched from the following menu location:

Rockwell Software RSLinx Tools EDS Hardware Installation Tool

· The reported vulnerability requires an authorized administrator to run the EDS Hardware Installation Tool after gaining physical access to the computer in order to load an improperly formatted EDS file.

· The reported vulnerability has no effect on RSLinx Classic’s intended operation, which is to allow client applications to communicate with controllers and/or other automation devices.

· A successful exploit of this vulnerability could allow an attacker to run arbitrary code on the target PC.

Customers who are concerned about this reported vulnerability should recognize that to exploit it would require gaining physical access to the target computer, a user with administrator privileges and execution of the EDS Hardware Installation Tool in order to load an improperly formatted EDSfile.

Given the details above, it is highly unlikely that an attacker would use the EDS Hardware Installation Tool to launch a malicious attack.

The reported vulnerability is present in version 1.0.5.1 and earlier versions of the EDS Hardware Installation Tool (RSHWare.exe). To determine the version installed, locate RSHWare.exe, right-click and select properties. Select the properties "Version" tab to view the file version.

Rockwell Automation recommends concerned customers take the following immediate steps to mitigate risk associated with the reported vulnerability:

1. Restrict physical access to the computer.

2. Establish policies and procedures such that only authorized individuals have administrative rights on the computer.

3. Obtain product EDS files from trusted sources (e.g. product vendor)

4. Apply the Rockwell Automation issued Patch Aid 68053

Rockwell Automation has issued a software patch for the EDS Hardware Installation Tool that addresses this buffer overflow vulnerability. When applied, the patch replaces the RSEds.dll file with the modified version 4.0.1.157. Future releases of RSLinx Classic, starting with version 2.57, will include this modified version of the RSEds.dll.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical
PN566 | PN566 | Password Security Vulnerability in PLC5® and SLC™ 5/0x Controllers
Published Date:
February 02, 2010
Last Updated:
February 02, 2010
Products:
1785-L11B, 1785-L20B, 1785-L30B, 1785-L40L, 1785-L60B, 1785-L60L, 1785-L80B
CVSS Scores:
10
Known Exploited Vulnerability (KEV):
No
Corrected:
No
Workaround:
No
More Details Less Details Chevron DownChevron Down

 

Introduction

 

Description

February 2, 2010 - Version 1.0

Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.

Details of this potential vulnerability to the affected Product are as follows:

  • The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept the Product’s password over a communications link to potentially gain access and interrupt the Product’s intended operation.

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system configuration too.

For instance, to directly mitigate associated risk in PLC5 controllers, Rockwell Automation recommends use of the following mitigation strategy:

  • For PLC5 controllers, enable and configure "Passwords and Privileges" via RSLogix 5 configuration software to restrict access to critical data and improve overall password security.

To help further reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Product users can follow these added remediation strategies (Note: when possible, multiple strategies should be employed simultaneously):

  1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:
    1. The 1747-L5x firmware should be OS Series C FRN 10, or higher.
    2. 1785-Lx processor firmware should be at or above the following (refer to included table):

      Catalog Number

      Series A

      Series B

      Series C

      Series D

      Series E

      Series F

      Enhanced

      Revision

      Revision

      Revision

      Revision

      Revision

      Revision

      1785-L11B

      R.2

      		  

      U.2

      L.2

      K.2

      		    

      1785-L20B

      R.2

      		  

      U.2

      L.2

      K.2

      		    

      1785-L30B

      S.2

      		  

      U.2

      L.2

      K.2

      		    

      1785-L40B

      		  

      S.2

      U.2

      L.2

      K.2

      		    

      1785-L40L

      		  

      S.2

      U.2

      L.2

      K.2

      		    

      1785-L60B

      		  

      S.2

      U.2

      L.2

      K.2

      		    

      1785-L60L

      		  

      S.2

      U.2

      L.2

      K.2

      		    

      1785-L80B

      		    

      U.2

      L.2

      K.2

      		    

      Protected

      Revision

      Revision

      Revision

      Revision

      Revision

      Revision

      1785-L26B

      R.2

      		  

      U.2

      L.2

      K.2

      		    

      1785-L46B

      		  

      S.2

      U.2

      L.2

      K.2

      		    

      1785-L46L

      		  

      S.2

      U.2

      		        

      1785-L86B

      		    

      U.2

      L.2

      K.2

      		    

      Ethernet

      Revision

      Revision

      Revision

      Revision

      Revision

      Revision

      		  

      1785-L20E

      		    

      U.2

      L.2

      K.2

      A.2

      		  

      1785-L40E

      		    

      U.2

      L.2

      K.2

      A.2

      		  

      1785-L80E

      		    

      U.2

      L.2

      K.2

      A.2

      		  

      ControlNet

      Revision

      Revision

      Revision

      Revision

      Revision

      Revision

      		  

      1785-L20C15

      		    

      U.2

      L.2

      K.2

      E.2

      		  

      1785-L40C15

      		    

      U.2

      L.2

      K.2

      E.2

      		  

      1785-L46C15

      		        

      K.2

      E.2

      		  

      1785-L60C15

      		      

      L.2

      		      

      1785-L80C15

      		      

      L.2

      K.2

      E.2

      		  

  2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.
  3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
  4. For SLC controllers, enable static protection on all critical data table files to prevent any remote data changes to critical data.
  5. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to https://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html for comprehensive information about implementing validated architectures designed to deliver these measures.
  6. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
  7. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to make changes to control system equipment.
  8. Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html.

KCS Status

Released

 

-
of

Report a Security Concern

There was a problem with your submission. Please review the error messages above for help with completing the form.

To provide attachments please communicate securely with us via PSIRT@rockwellautomation.com using our PGP Public Key Block.