Security Advisories | Rockwell Automation

High

SD1748 | FactoryTalk® Analytics™ LogixAI® Exposed Redis DB

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9364

Products:

FactoryTalk® Analytics™ LogixAI® 

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk® Analytics™ LogixAI® from Rockwell Automation is an embedded machine learning solution that enables control engineers to deploy predictive models directly within Logix controllers.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk® Analytics™ LogixAI®	CVE-2025-9364	Versions 3.00 and 3.01	Version 3.02 and later

Security Issue Details

Category	Details
CVE ID	CVE-2025-9364
Impact	An open database issue exists in the affected product and version. The security issue stems from an over permissive Redis instance. This could result in an attacker on the intranet accessing sensitive data and potential alteration of data.
CVSS 3.1 Base Score	8.8/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary   

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited   

· Redis Database: is an open-source, in-memory data structure store used as a database, cache, and message broker. It supports various data types like strings, hashes, lists, sets, and more, and is known for its high performance, low latency, and simplicity.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1747 | ControlLogix® 5580 V35.013 Denial-Of-Service 

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9166

Products:

ControlLogix® 5580

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The ControlLogix® 5580 controller from Rockwell Automation delivers high-speed, multi-discipline control for discrete, motion, process, and safety applications, featuring enhanced security, integrated motion over EtherNet/IP.

Affected products and solution

Affected Product 

CVE 

Affected Software Version 

Corrected in Software Version 

Affected Catalog Numbers

ControlLogix® 5580

CVE-2025-9166

Version 35.013

Version 35.014 and later

Bulletin 1756

Security Issue Details

Category	Details
CVE ID	CVE-2025-9166
Impact	A denial-of-service security issue exists in the affected product and version. The security issue stems from the controller repeatedly attempting to forward messages. The issue could result in a major nonrecoverable fault on the controller.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.2/10
CWEs	CWE-476: NULL Pointer Dereference
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary 

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

· Denial-of-Service (DoS): An attack that disrupts the normal functioning of a system, often by overwhelming it with requests. 

· Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly 

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1746 | CompactLogix® 5480 Code Execution Vulnerability 

Published Date:

September 09, 2025

Last Updated:

September 09, 2025

CVE IDs:

CVE-2025-9160 

Products:

CompactLogix® 5480

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

The CompactLogix® 5480 controller from Rockwell Automation is a high-performance, real-time controller that combines Logix control with Windows 10 IoT Enterprise.

Affected products and solution

Affected Product 

CVE 

Affected Software Version 

Corrected in Software Version 

Affected Catalog Numbers

CompactLogix® 5480

CVE-2025-9160

Version 32 - 37.011 w Windows package (2.1.0) Win10 v1607

N/A

5069-L430ERMW

5069-L450ERMW
5069-4100ERMW

5069-L4200ERMW 5069-L46ERMW

Security Issue Details

Category	Details
CVE ID	CVE-2025-9160
Impact	A code execution security issue exists in the affected product. An attacker with physical access could abuse the maintenance menu of the controller with a crafted payload. The security issue can result in arbitrary code execution.
CVSS 3.1 Base Score	6.8/10
CVSS 4.0 Base Score	7.0/10
CWEs	CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds
Best security practices should be applied.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary 

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited 

· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process 

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

Subscribe to product security alerts
Review the current list of Rockwell Automation security advisories
Report a possible security issue in a Rockwell Automation product
Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1745 | Stratix IOS CSRF to RCE Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-7350

Products:

Stratix IOS

CVSS Scores (v3.1):

9.6

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Stratix® IOS Cross-Site Request Forgery to Code Execution Vulnerability

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Product Description

Stratix® industrial Ethernet switches from Rockwell Automation provide high-performance network infrastructure optimized for industrial environments.

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

Stratix IOS

CVE-2025-7350

15.2(8)E5 and below

15.2(8)E6

Security Issue Details

Category	Details
CVE ID	CVE-2025-7350
Impact	A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to remote code execution by uploading and running malicious configurations without authentication.
CVSS 3.1 Base Score	9.6/10
CVSS 4.0 Base Score	8.6/10
CWEs	CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Glossary

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

· Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1744 | 1783-NATR Memory Size Calculation Underflow Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2020-28895

Products:

1783-NATR

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

1783-NATR Memory Size Calculation Underflow Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments. Please note Rockwell Automation could not confirm whether this vulnerability is exploitable; however, we are disclosing it in the interest of full transparency and proactive communication.

Product Description

1783-NATR is a configurable NAT router that simplifies machine integration into plant-wide networks by enabling 1:1 IP address translation, supporting Device Level Ring and linear topologies, and allowing configuration via web interface or Studio 5000 Add-on Profile.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
1783-NATR	CVE-2020-28895	All Versions Prior to 1.007	1.007	1783-NATR

Security Issue Details

Category	Details
CVE ID	CVE-2020-28895
Impact	In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVSS 3.1 Base Score	7.3/10
CVSS 4.0 Base Score	6.9/10
CWEs	CWE-1103: Use of Platform-Dependent Third Party Components
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· Wind River VxWorks: A trusted and widely deployed real-time operating system (RTOS) for mission-critical embedded systems. Used in all NATR modules.

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1743 | ThinManager SSRF Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-9065

Products:

ThinManager

CVSS Scores (v3.1):

7.2

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

ThinManager® Server-Side Request Forgery Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

ThinManager is a centralized, secure thin client management software that delivers industrial visualization and application control across devices, helping optimize operations with scalable deployment and reduced IT overhead.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version	Affected Catalog Numbers
ThinManager®	CVE-2025-9065	13.0 - 14.0	14.1	9541*

Security Issue Details

Category	Details
CVE ID	CVE-2025-9065
Impact	A server-side request forgery security issue exists within Rockwell Automation ThinManager® software due to the lack of input sanitization. Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash.
CVSS 3.1 Base Score	7.2/10
CVSS 4.0 Base Score	8.6/10
CWEs	CWE-918: Server-Side Request Forgery (SSRF)
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· SMB: Server Message Block, a protocol used for sharing files, printers, and other resources over a network

· NTLM: NT Lan Manager, a Windows authentication protocol

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices. Customers can also reference the following article from Microsoft to Block NTLM connections on SMB in Windows Server 2025.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1741 | FactoryTalk Activation Manager Lack of Encryption Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 04, 2025

CVE IDs:

CVE-2025-7970

Products:

FactoryTalk Activation Manager

CVSS Scores (v3.1):

7.1

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

FactoryTalk Activation Manager Lack of Encryption Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk Activation Manager is a secure software tool that enables activation and management of Rockwell Automation products without physical media, using internet-based activation files and multiple licensing options.

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk Activation Manager	CVE-2025-7970	5.00	5.02

Security Issue Details

Category	Details
CVE ID	CVE-2025-7970
Impact	A security issue exists within FactoryTalk Activation Manager. An error in the implementation of cryptography within the software could allow attackers to decrypt traffic. This could result in data exposure, session hijacking, or full communication compromise.
CVSS 3.1 Base Score	7.5/10
CVSS 4.0 Base Score	8.7/10
CWEs	CWE-303: Incorrect Implementation of Authentication Algorithm
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1742 | FactoryTalk Optix Remote Code Execution Vulnerability

Published Date:

September 09, 2025

Last Updated:

September 05, 2025

CVE IDs:

CVE-2025-9161

Products:

FactoryTalk Optix

CVSS Scores (v3.1):

7.1

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

FactoryTalk Optix Remote Code Execution Vulnerability

The security of our products is important to us as your industrial automation supplier. This security issue was found internally during routine testing and is being reported based on our commitment to customer transparency and improvement of all business environments.

Product Description

FactoryTalk Optix is a scalable, cloud-enabled visualization platform that lets you design, test, and deploy HMI applications across devices with modern templates, built-in collaboration tools, and OPC UA-based interoperability

Affected products and solution

Affected Product	CVE	Affected Software Version	Corrected in Software Version
FactoryTalk Optix	CVE-2025-9161	All Versions 1.5.0 - 1.5.7	1.6.0

Security Issue Details

Category	Details
CVE ID	CVE-2025-9161
Impact	A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.
CVSS 3.1 Base Score	7.1/10
CVSS 4.0 Base Score	7.3/10
CWEs	CWE-20: Improper Input Validation
Known Exploited Vulnerability	No (Not listed in KEV database)

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

Critical

SD1735 | FactoryTalk® Linx Network Browser Security Bypass Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7972

Products:

FactoryTalk Linx

CVSS Scores (v3.1):

9.0

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Versions	Corrected in Software Version
FactoryTalk Linx	CVE-2025-7972	All prior to 6.50	6.50 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7972 IMPACT

A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to ‘development’, the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers.

CVSS 3.1 Base Score: 9.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

CWE: CWE-286: Incorrect User Management
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Glossary:

FTSP: (FactoryTalk Services Platform) facilitates communication between FactoryTalk® components, enabling data exchange and interaction across computers in a FactoryTalk directory

High

SD1737 | FLEX 5000 I/O - Module Fault

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-9041, CVE-2025-9042

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025

Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: See below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Firmware Version

Corrected in Firmware Version

5094-IF8

CVE-2025-9041

V2.011

V2.012 and later

5094-IY8

CVE-2025-9042

V2.011

V2.012 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-9041

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2025-9042

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1287: Improper Validation of Specified Type of Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

        Security Best Practices

Glossary:

CIP: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Module: A self-contained unit within a system that performs a specific function and can operate independently or as part of a larger system

Inhibited: Temporarily disabled or prevented from operating.

High

SD1734 | Studio 5000 Logix Designer® – Arbitrary Code Execution Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7971

Products:

Studio 5000 Logix Designer

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 7.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Studio 5000 Logix Designer	CVE-2025-7971	36.00.02	V37.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7971 IMPACT

A security issues exists within Studio 5000 Logix Designer due to unsafe handling of environment variables. If the specified path lacks a valid file, Logix Designer crashes; However, it may be possible to execute malicious code without triggering a crash.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Critical

SD1736 | Micro800 – Multiple Vulnerabilities

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

Products:

Micro800

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

CVE

Affected Product

First Known in Software Version

Corrected in Software Version

CVE-2023-48691

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 - V22.011

V23.011 and later

CVE-2023-48692

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 -V22.011

V23.011 and later

CVE-2023-48693

PLC Micro820 LC20

V14.011 and below

Migrate to Micro820 L20E V 23.011 and later (this has yet to be released, target to release in Sept 2025)

PLC Micro850 LC50

V12.013 and below

Migrate to Micro850 L50E V 23.011 and later

PLC Micro870 LC70

V12.013 and below

Migrate to Micro870 L70E V 23.011 and later

PLC - Micro850 L50E

V20.011 -V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 - V22.011

V23.011 and later

CVE-2025-7693

PLC - Micro850 L50E

V20.011 - V22.011

V23.011 and later

PLC – Micro870 L70E

V20.011 -V22.011

V23.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-48691 IMPACT

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause an out-of-bounds write in Azure RTOS NETX Duo, that could lead to remote code execution. The affected components include a process related to IGMP protocol in RTOS v6.2.1 and below. The fix has been included in NetX Duo release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2023-48692 IMPACT

Azure RTOS NetX Duo is a TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. An attacker can cause remote code execution due to memory overflow vulnerabilities in Azure RTOS NETX Duo. The affected components include processes/functions related to icmp, tcp, snmp, dhcp, nat and ftp in RTOS v6.2.1 and below. The fixes have been included in NetX Duo release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2023-48693 IMPACT

Azure RTOS ThreadX is an advanced real-time operating system (RTOS) designed specifically for deeply embedded applications. An attacker can cause arbitrary read and write due to vulnerability in parameter checking mechanism in Azure RTOS ThreadX, which may lead to privilege escalation. The affected components include RTOS ThreadX v6.2.1 and below. The fixes have been included in ThreadX release 6.3.0. Users are advised to upgrade.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395: Dependency on Vulnerable Third-Party Component
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7693 IMPACT

A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds 
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied. 

        Security Best Practices

Glossary:

TCP/IP: language computers use to talk to each other on a network or the internet

IoT: network of physical devices, like thermostat, fridge, or car

Remote Code Execution: allows attackers to run arbitrary code on a remote machine, connecting to it over public or private networks

IGMP:  (Internet Group Management Protocol) Used by IP hosts and adjacent routers to establish multicast group memberships.

ICMP:  (Internet Control Message Protocol) Used for sending error messages and operational information, such as when a service is unavailable or a host/router cannot be reached.

TCP: (Transmission Control Protocol) A connection-oriented protocol that ensures reliable data transmission between devices.

SNMP:  (Simple Network Management Protocol) Used for collecting and organizing information about managed devices on IP.

DHCP: (Dynamic Host Configuration Protocol) Automatically assigns IP addresses and other network configuration parameters to devices on a network, allowing them to communicate effectively.

NAT: (Network Address Translation) A method used to remap IP addresses by modifying network address information in packet headers.

FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.

Parameter: setting or value that helps define how data is transmitted, received, or managed across a network

CIP: (Common Industrial Protocol) a communication protocol designed for automation applications in industrial settings

Fuzzing: a technique that focuses on discovering vulnerabilities by providing a large amount of random and unexpected data inputs to a software system to trigger faults and find implementation bugs

High

SD1733 | ArmorBlock 5000 I/O – Web Server Vulnerabilities

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025- 7773, CVE-2025- 7774

Products:

ArmorBlock 5000 I/O

CVSS Scores (v3.1):

8.6

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.6/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

5032-CFGB16M12P5DR

5032-CFGB16M12DR

5032-CFGB16M12M12LDR

CVE-2025-7773

1.011

1.012

5032-CFGB16M12P5DR

5032-CFGB16M12DR

5032-CFGB16M12M12LDR

CVE-2025-7774

1.011

1.012

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025- 7773

A security issue exists within the 5032 16pt Digital Configurable module’s web server. The web server’s session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable.

CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE: CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025- 7774

A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions.

CVSS 3.1 Base Score: 8.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE: CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Critical

SD1732 | ControlLogix® Ethernet Remote Code Execution Vulnerability

Published Date:

August 14, 2025

Last Updated:

August 14, 2025

CVE IDs:

CVE-2025-7353

Products:

ControlLogix® Ethernet Modules

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025

Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 9.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Versions	Corrected in Software Version
1756-EN2T/D	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2F/C	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2TR/C	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN3TR/B	CVE-2025-7353	Version 11.004 or below	12.001
1756-EN2TP/A	CVE-2025-7353	Version 11.004 or below	12.001

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7353 IMPACT

A security issue exists due to the web-based debugger agent enabled on released devices. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1188: Initialization of a Resource with an Insecure Default
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

High

SD1738 | FactoryTalk® ViewPoint Privilege Escalation Vulnerability

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-7973

Products:

FactoryTalk® ViewPoint

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

FactoryTalk Viewpoint

CVE-2025-7973

Version 14.00 or below

15.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-7973 IMPACT

A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-268: Privilege Chaining
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

Security Best Practices

Glossary:

MSI: Microsoft Installer (MSI) file is a package format used for installing, maintaining, and removing software on Windows systems.

Cscript.exe: command-line utility in Windows used to run scripts written in VBScript or JScript.

SYSTEM Privileges: SYSTEM privileges refer to the highest level of access on a Windows machine, allowing full control over all system resources and processes.

High

SD1740 | FactoryTalk® Action Manager v1.0.0 Runtime Vulnerability

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-7532

Products:

FactoryTalk Action Manager

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/14/2025
Last Updated: 8/14/2025
Revision Number: 1.0
CVSS Score: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Versions

Corrected in Software Version

FactoryTalk® Action Manager

CVE-2025-9036

1.0.0

1.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-9036 IMPACT

A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Exposure of Sensitive Information to an Unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

Glossary:

API: (Application Programming Interface) is a set of protocols and tools that allow different software applications to communicate with each other

WebSocket: protocol used for communication between a client and a server over a single connection

High

SD1739 | 1756-ENT2R, EN4TR, EN4TRXT - Multiple Vulnerabilities

Published Date:

August 13, 2025

Last Updated:

August 13, 2025

CVE IDs:

CVE-2025-8007 , CVE-2025-8008

Products:

ControlLogix EtherNet/IP Network Devices

CVSS Scores (v3.1):

6.5

CVSS Scores (v4.0):

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

1756-ENT2R, EN4TR, EN4TRXT - Multiple Vulnerabilities

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Product Description

The 1756-ENT2R, 1756-EN4TR, and 1756-EN4TRXT are high-performance ControlLogix EtherNet/IP communication modules that support advanced topologies like Device Level Ring and Parallel Redundancy Protocol, with scalable connection capacities and environmental ratings to meet standard, high-demand, and extreme industrial networking needs.

Affected products and solution

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Affected Catalog Numbers

1756-ENT2R

1756-EN4TR

1756-EN4TRXT

CVE-2025-8007

Version 6.001 or Prior

Version 7.001 or later

1756*

1756-ENT2R

1756-EN4TR

1756-EN4TRXT

CVE-2025-8008

Version 6.001 or Prior

Version 7.001 or later

1756*

Security Issue Details

Category	Details
CVE ID	CVE-2025-8007
Impact	A security issue exists in the protected mode of 1756-EN4TR and 1756-EN2TR communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. This condition may lead to unexpected system crashes and loss of device availability.
CVSS 3.1 Base Score	6.5/10
CVSS 4.0 Base Score	7.1/10
CWEs	CWE-20: Improper Input Validation
Known Exploited Vulnerability	No (Not listed in KEV database)

Category	Details
CVE ID	CVE-2025-8008
Impact	A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash.
CVSS 3.1 Base Score	6.5/10
CVSS 4.0 Base Score	7.1/10
CWEs	CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability	No (Not listed in KEV database)

Glossary:

· Major Non-Recoverable: critical fault condition within industrial control systems

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, should use our security best practices.

Revision History

Revision	Date	Description
1.0	September 9, 2025	Initial release

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

· Subscribe to product security alerts

· Review the current list of Rockwell Automation security advisories

· Report a possible security issue in a Rockwell Automation product

· Learn more about the Rockwell Automation vulnerability policy

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT

Email: rasecure@ra.rockwell.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAVE BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.

High

SD1731 | Arena® Simulation Multiple Memory Corruption Vulnerabilities

Published Date:

August 05, 2025

Last Updated:

August 05, 2025

CVE IDs:

CVE-2025-7025, CVE-2025-7032, CVE-2025-7033

Products:

Arena® Simulation

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/5/2025
Last Updated: 8/5/2025
Revision Number: 1.0
CVSS Score: 8.4/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Arena® Simulation	CVE-2025-7025	16.20.09 and prior	16.20.10 and later
	CVE-2025-7032	16.20.09 and prior	16.20.10 and later
	CVE-2025-7033	16.20.09 and prior	16.20.10 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues. The vulnerabilities were reported by Michael Heinzl.

CVE-2025-7025 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7032 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-121: Stack-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No

CVE-2025-7033 IMPACT

A memory abuse issue exists in the affected product. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

· Security Best Practices

Glossary

· Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

· Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Critical

SD1730 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239)

Published Date:

July 16, 2025

Last Updated:

July 16, 2025

CVE IDs:

CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239

CVSS Scores (v3.1):

9.3, 7.1

CVSS Scores (v4.0):

9.4, 8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 7/16/2025

Last updated:7/16/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in software version
Industrial Data Center (IDC) with VMware	Generations 1 – 4	Refer to Mitigations and Workarounds
VersaVirtual Appliance (VVA) with VMware	Series A & B	Refer to Mitigations and Workarounds
Threat Detection Managed Services (TDMS) with VMware	All	Refer to Mitigations and Workarounds
Endpoint Protection Service with Rockwell Automation Proxy & VMware only	All	Refer to Mitigations and Workarounds
Engineered and Integrated Solutions with VMware	All	Refer to Broadcom’s advisory

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below :

· Support Content Notification - Support Portal - Broadcom support portal

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3f-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2e-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3w-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-41236

An integer-overflow vulnerability exists in the VMXNET3 virtual network adapter used in VMware ESXi, Workstation, and Fusion. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41237

An integer-underflow vulnerability exists in the Virtual Machine Communication Interface (VMCI) of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41238

A heap-overflow vulnerability exists in the Paravirtualized SCSI (PVSCSI) controller of VMware ESXi, Workstation, and Fusion, which can lead to an out-of-bounds write. Exploitation of this vulnerability can lead to code execution on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

CVE-2025-41239

An information disclosure vulnerability exists in vSockets due to the use of uninitialized memory in VMware ESXi, Workstation, Fusion, and VMware Tools. Exploitation of this vulnerability can result in the leakage of memory from processes communicating with vSockets.

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Glossary:

VMXNET3: virtual network adapter optimized for VMware environments
VMware ESXi: hypervisor that enables virtualization of servers
VMware Workstation: desktop application that allows users to run multiple operating systems as virtual machines on a single PC
VMware Fusion: a macOS application that enables users to run Windows and other operating systems within a virtual environment
Code execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1729 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability

Published Date:

July 09, 2025

Last Updated:

July 09, 2025

CVE IDs:

CVE-2025-6377 , CVE-2025-6376

Products:

Arena®

CVSS Scores (v3.1):

7.0, 7.8

CVSS Scores (v4.0):

8.4, 7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 7/9/2025
Last Updated: 7/9/2025
Revision Number: 1.0
CVSS Score: 7.1/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Software - Arena®	CVE-2025-6377	16.20.08 and earlier	16.20.09 and later
Software - Arena®	CVE-2025-6376	16.20.08 and earlier	16.20.09 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerability. The vulnerability was reported by Zero Day Initiative (ZDI).

CVE-2025-6377 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rockwell CVSS Score:

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2025-6376 IMPACT

A remote code execution security issue exists in the affected product. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P.

ZDI CVSS Score

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.4

CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Rockwell CVSS Score

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20 Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Users should update to the corrected version if possible. If users using the affected software are not able to upgrade the version, security best practices should be applied.

·         Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Glossary

DOE File: A DOE file, or Design of Experiments file, is a document used to plan and organize an experiment efficiently. It helps in systematically arranging tests and analyzing the effects of multiple factors and their interactions on a response variable.

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Critical

SD1728 | Apache Vulnerability in FactoryTalk® Historian-ThingWorx Connection Server

Published Date:

May 14, 2025

Last Updated:

May 14, 2025

CVE IDs:

CVE-2018-1285

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 5/15/2025

Last updated: 5/15/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
95057C-FTHTWXCT11	<= v4.02.00	v5.00.00 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2018-1285

A vulnerability has been identified in the third-party Apache log4net software, impacting the FactoryTalk® Historian-ThingWorx Connector. This issue arises because versions of Apache log4net prior to 2.0.10 fail to disable XML external entities during the parsing of log4net configuration files. Consequently, a threat actor could exploit this to launch XX-based attacks on applications that accept malicious log4net configuration files.

CVSS 3.1 Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: no

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Update to the corrected version if possible. Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1727 | Local Privilege Escalation and denial-of-service Vulnerability in ThinManager®

Published Date:

April 15, 2025

Last Updated:

April 23, 2025

CVE IDs:

CVE-2025-3617 , CVE-2025-3618

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Software - ThinManager	CVE-2025-3617	14.0.0 & 14.0.1	v14.0.2 and later
Software - ThinManager	CVE-2025-3618	v14.0.1 and earlier	v11.2.11, 12.0.9, 12.1.10, 13.0.7, 13.1.5, 13.2.4, 14.0.2 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Zero Day Initiative (ZDI).

CVE-2025-3617 IMPACT

A privilege escalation vulnerability exists in the affected product. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 276 - Incorrect Default Permissions
Known Exploited Vulnerability (KEV) database: No

CVE-2025-3618 IMPACT

A denial-of-service vulnerability exists in the affected product. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial-of-service on the target software.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1726 | Local Code Execution Vulnerabilities in Arena®

Published Date:

April 07, 2025

Last Updated:

April 07, 2025

CVE IDs:

CVE-2025-2285, CVE-2025-2286, CVE-2025-2287, CVE-2025-2288, CVE-2025-2293, CVE-2025-2829, CVE-2025-3285, CVE-2025-3286, CVE-2025-3287, CVE-2025-3288, CVE-2025-3289

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 4/8/2025

Last updated: 4/8/2025

Revision Number: 1.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
Arena®	16.20.08 and earlier	16.20.09

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Michael Heinzl.

CVE-2025-2285

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2286

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2287

A local code execution vulnerability exists in the affected products due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE- 457 Uninitialized Variable

CVE-2025-2288

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector:CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-2293

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-2829

A local code execution vulnerability exists in the affected products due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 787 - Out of Bounds Write

CVE-2025-3285

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3286

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3287

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3288

A local code execution vulnerability exists in the affected products due to a threat actor being able to read outside of the allocated memory buffer. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE-125 Out of Bounds Read

CVE-2025-3289

A local code execution vulnerability exists in the affected products due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVSS 3.1 Base Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

CWE: CWE 121 – Stack-based Buffer Overflow

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1725 | Third-party Local Code Execution Vulnerability in 440G TLS-Z

Published Date:

March 24, 2025

Last Updated:

March 24, 2025

CVE IDs:

CVE-2020-27212

Products:

440G TLS-Z

CVSS Scores (v3.1):

7.0

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: 3/25/2025

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Version
440G TLS-Z	v6.001	n/a – see mitigations

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Limit physical access to authorized personnel: Control room, cells/areas, control panels, and devices. See Chapter 4, Harden the Control System of System Security Design Guidelines

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE 2020-27212 IMPACT

A local code execution vulnerability exists in the STMicroelectronics STM32L4 devices due to having incorrect access controls. The affected product utilizes the STMicroelectronics STM32L4 device and because of the vulnerability, a threat actor could reverse protections that control access to the JTAG interface. If exploited, a threat actor can take over the device.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:1395-Dependency of a third-party Component & CWE 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CPE: cpe:2.3:h:st:stm32l431rc:-:*:*:*:*:*:*:*

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1724 | Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date:

March 21, 2025

Last Updated:

March 21, 2025

CVE IDs:

CVE-2025-23120

CVSS Scores (v3.1):

9.9

CVSS Scores (v4.0):

9.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Lifecycle Services with Veeam Backup and Replication are Vulnerable to third-party Vulnerabilities

Published Date: 03/21/25

Last updated: 03/27/25

Revision Number: 1.0

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Revision
Industrial Data Center (IDC) with Veeam	Generations 1 – 5	Refer to Remediation and Workarounds
VersaVirtual™ Appliance (VVA) with Veeam	Series A - C	Refer to Remediation and Workarounds

REMEDIATIONS AND WORKAROUNDS

Users with an active Rockwell Automation Infrastructure Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Veeam’s advisories below:

· Support Content Notification - Support Portal – Veeam support portal

· https://www.veeam.com/kb4724

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-23120

A remote code execution vulnerability exists in Veeam Backup & Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.

CVSS 3.1 Base Score: 9.9

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1723 | Admin Shell Access Vulnerability in Verve Asset Manager

Published Date:

March 20, 2025

Last Updated:

March 20, 2025

CVE IDs:

CVE-2025-1449

CVSS Scores (v3.1):

9.1

CVSS Scores (v4.0):

8.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 3/25/25

Revision Number: 1.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Corrected in Software Revision

Verve Asset Manager

<=1.39

V1.40

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-1449 IMPACT

A vulnerability exists in the affected product due to insufficient variable sanitizing. A portion of the administrative web interface for Verve's Legacy Agentless Device Inventory (ADI) capability (deprecated since the 1.36 release) allows users to change a variable with inadequate sanitizing. If exploited, it could allow a threat actor with administrative access to run arbitrary commands in the context of the container running the service.

CVSS Base Score v3.1: 9.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS Base Score v4.0: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-1287: Improper Validation of Specified Type of Input

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Security Best Practices

Critical

SD1722 | Lifecycle Services with VMware are Vulnerable to third-party Vulnerabilities

Published Date:

March 07, 2025

Last Updated:

March 07, 2025

CVE IDs:

CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

CVSS Scores (v3.1):

9.3, 8.2, 7.1

CVSS Scores (v4.0):

9.4, 9.3, 8..2

Known Exploited Vulnerability (KEV):

Yes

Corrected:

Yes

Workaround:

Yes

More Details Less Details

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found through a third-party advisory and is being reported based on our commitment to customer transparency to improve all business environment.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in software version
Industrial Data Center (IDC) with VMware	Generations 1 – 4	Refer to Mitigations and Workarounds
VersaVirtual™ Appliance (VVA) with VMware	Series A & B	Refer to Mitigations and Workarounds
Threat Detection Managed Services (TDMS) with VMware	All	Refer to Mitigations and Workarounds
Endpoint Protection Service with RA PRoxy & VMware only	All	Refer to Mitigations and Workarounds
Engineered and Integrated Solutions with VMware	All	Refer to Broadcom’s advisory

Remediations and Workarounds

Users with an active Rockwell Automation Infrastructure Managed Service contract or Threat Detection Managed Service contract:

Rockwell Automation will contact impacted users to discuss actions needed for remediation efforts.

Users without Rockwell Automation managed services contract, refer to Broadcom’s advisories below:

· Support Content Notification - Support Portal - Broadcom support portal

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u3d-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html

· https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/7-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-70u3s-release-notes.html

Additionally, users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used v3.1 and v4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-22224

A Time of Check Time of use (TOCTOU) vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with local administrative privileges to execute code as the virtual machine's VMX process running on the host.

CVSS 3.1 Base Score: 9.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2025-22225

A code execution vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with privileges within the VMX process trigger an arbitrary kernel write, leading to an escape of the sandbox.

CVSS 3.1 Base Score: 8.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2025-22226

An out of bounds vulnerability exists in VMware ESXi, which the affected products use. Exploitation of the vulnerability can allow a threat actor with administrative privileges to leak memory from the vmx process.

CVSS 3.1 Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.2

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1721 | FactoryTalk® AssetCentre Multiple Vulnerabilities

Published Date:

January 29, 2025

Last Updated:

January 29, 2025

CVE IDs:

CVE-2025-0477 , CVE-2025-0497, CVE-2025-0498

CVSS Scores (v3.1):

9.8, 7.0, 7.8

CVSS Scores (v4.0):

9.3, 7.3, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Versions	Corrected Version
FactoryTalk® AssetCentre	CVE-2025-0477	All prior to V15.00.001	V15.00.01 and later
	CVE-2025-0497		V11, V12, and V13 (patch available) V15.00.01 and later
	CVE-2025-0498		V11, V12, and V13 (patch available) V15.00.01 and later

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For CVE-2025-0477:

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o The encrypted data is stored in a table in the database. Control access to the database by non-essential users.

For CVE-2025-0497

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o Apply patches to correct legacy versions:

§ To apply the patch for LogCleanUp or ArchiveLogCleanUp download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

§ To apply patches for EventLogAttachmentExtractor or ArchiveExtractor, locate the article BF31148, download the patch files and follow the instructions.

o Restrict physical access to the machine to authorized users.

For CVE-2025-0498

o Update FactoryTalk® AssetCentre to v15.00.01 or later.

o Apply patches to correct legacy versions:

§ To apply the patch for download and install the Rockwell Automation January 2025 Monthly Patch rollup, or later

o Restrict physical access to the machine to authorized users.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

CVE-2025-0477 and CVE-2025-0497 reported to Rockwell Automation by Nestlé - Alban Avdiji. CVE-2025-0498 was found internally by Rockwell Automation during routine testing. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0477 IMPACT

An encryption vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to a weak encryption methodology and could allow a threat actor to extract passwords belonging to other users of the application.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-326: Inadequate Encryption Strength
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0497 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to storing credentials in the configuration file of EventLogAttachmentExtractor, ArchiveExtractor, LogCleanUp, or ArchiveLogCleanUp packages.

CVSS 3.1 Base Score: 7.0
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.3
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

CVE-2025-0498 IMPACT

A data exposure vulnerability exists in all versions prior to V15.00.001 of FactoryTalk® AssetCentre. The vulnerability exists due to insecure storage of FactoryTalk® Security user tokens, which could allow a threat actor to steal a token and, impersonate another user.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-522: Insufficiently Protected Credentials
Known Exploited Vulnerability (KEV) database: No

Critical

SD1715 | Path Traversal and Third-party Vulnerability in DataMosaix™ Private Cloud

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-0659, CVE-2020-11656

CVSS Scores (v3.1):

5.5, 9.8

CVSS Scores (v4.0):

7.0, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Version	Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud	CVE-2025-0659	<=7.11	7.11.01
DataEdgePlatform DataMosaix™ Private Cloud	CVE-2020-11656	<=7.09	7.11.01

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0659 IMPACT

A path traversal vulnerability exists in the affected product. By specifying the character sequence in the body of the vulnerable endpoint, it is possible to overwrite files outside of the intended directory. A threat actor with admin privileges could leverage this vulnerability to overwrite reports including user projects.

CVSS 3.1 Base Score: 5.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: 200 - Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2020-11656 IMPACT

The affected product utilizes SQLite, which contains a use after free vulnerability in the ALTER TABLE implementation, which was demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 1395 - Dependency on Vulnerable third-party Component
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1718 | 5380/5580 Denial-of-Service Vulnerability

Published Date:

January 28, 2025

Last Updated:

January 30, 2025

CVE IDs:

CVE-2025-24478

CVSS Scores (v3.1):

6.5

CVSS Scores (v4.0):

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product(s)

First Known in Software Version

Corrected in Software Version

GuardLogix 5580

Compact GuardLogix 5380 SIL3

V33.011

V33.017, V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24478 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 6.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-755: Improper Handling of Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Restrict Access to the task object via CIP Security and Hard Run.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1719 | FactoryTalk® View Machine Edition Multiple Vulnerabilities

Published Date:

January 28, 2025

Last Updated:

February 05, 2025

CVE IDs:

CVE-2025-24479, CVE-2025-24480

CVSS Scores (v3.1):

8.4, 9.8

CVSS Scores (v4.0):

8.6, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Version(s)

Corrected in Software Version

FactoryTalk® View Machine Edition

CVE-2025-24479

< V15

V15 and Patch for V12, V13, V14 (AID 1152309)

CVE-2025-24480

< V15

V15 and patch for V12, V13, V14 (AID 1152571)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24479 IMPACT

A Local Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to a default setting in Windows and allows access to the Command Prompt as a higher privileged user.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-863: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24480 IMPACT

A Remote Code Execution Vulnerability exists in the product and version listed above. The vulnerability is due to lack of input sanitation and could allow a remote attacker to run commands or code as a high privileged user.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') & CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· CVE-2025-24479:

· Upgrade to V15.00 or apply patch in AID 1152309

· Control physical access to the system

· CVE-2025-24480:

· Upgrade to V15.00 or apply patch in AID 1152571

· Protect network access to the device

· Strictly constrain the parameters of invoked functions

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1720 | FactoryTalk® View Site Edition Multiple Vulnerabilities

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-24481, CVE-2025-24482

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Version(s)	Corrected in Software Version
FactoryTalk® View SE	CVE-2025-24481	< V15.0	V15.0, and patch for v14 (AID 1152306)
FactoryTalk® View SE	CVE-2025-24482	< V15.0	V15.0, and patches for V12, V13, V14 (1152304)

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-24481 IMPACT

An Incorrect Permission Assignment Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect permissions being assigned to the remote debugger port and can allow for unauthenticated access to the system configuration.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

CVE-2025-24482 IMPACT

A Local Code Injection Vulnerability exists in the product and version listed above. The vulnerability is due to incorrect default permissions and allows for DLLs to be executed with higher level permissions.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

CWE-94: Improper Control of Generation of Code ('Code Injection')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For CVE-2025-24481:

· Upgrade to V15 or apply patch. Answer ID 1152306

· Protect physical access to the workstation

· Restrict access to port 8091 at the network or workstation

· For CVE-2025-24482:

· Upgrade to V15 or apply patch. Answer ID 1152304.

· Check the environment variables (PATH), and make sure FactoryTalk® View SE installation path (C:\Program Files (x86)\Common Files\Rockwell) is before all others

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1716 | KEPServer Denial-of-Service Vulnerability Found During Pwn2Own Competition

Published Date:

January 28, 2025

Last Updated:

August 06, 2025

CVE IDs:

CVE-2023-3825

Products:

KEPServer

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Versions	Fixed Version
KEPServer	CVE-2023-3825	6.0 - 6.14.263	6.15

SECURITY ISSUE DETAILS

Rockwell Automation received a report from PTC regarding a security issue discovered by Security Researchers of Claroty Team82.

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.

CVE-2023-3825 IMPACT

KEPServerEX Versions 6.0 to 6.14.263 are open to being made to read a repeatedly defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be stored to create complex arrays. It does not apply a check to see if such an object is recursively defined. An attacker could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400: Uncontrolled Resource Consumption
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software should use risk mitigations.

· For information on Security Risks and how to reduce risks, customers should use our suggested security best practices.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

ADDITIONAL RESOURCES

· NVD - CVE-2023-3825

· PTC KEPServerEX | CISA

· CS405439 - Security vulnerabilities identified in PTC Kepware products - November 2023

Glossary:

Claroty Team82: a research arm that provides vulnerability and threat research to customers and defenders of industrial networks worldwide

KEPServerEX: connectivity platform that provides a single source of industrial automation

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1717 | PowerFlex® 755 Credential Exposure Vulnerability

Published Date:

January 28, 2025

Last Updated:

January 28, 2025

CVE IDs:

CVE-2025-0631

Products:

PowerFlex 755

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version(s)	Fixed Version
PowerFlex® 755	<=16.002.279	v20.3.407

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2025-0631 IMPACT

A Credential Exposure Vulnerability exists in the above-mentioned product and version. The vulnerability is due to using HTTP resulting in credentials being sent in clear text.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-319: Cleartext Transmission of Sensitive Information
Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1714 | PowerMonitor™ 1000 Remote Code Execution and Denial-of-Service Vulnerabilities via HTTP Protocol

Published Date:

December 17, 2024

Last Updated:

December 17, 2024

CVE IDs:

CVE-2024-12371 , CVE-2024-12372 , CVE-2024-12373

CVSS Scores (v3.1):

9.8, 9.8, 9.8

CVSS Scores (v4.0):

9.3, 9.3, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: December 17, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.3/10

AFFECTED PRODUCTS AND SOLUTION

Affected Products	Affected firmware revision	Corrected in firmware revision
PM1k 1408-BC3A-485	<4.020	4.020
PM1k 1408-BC3A-ENT	<4.020	4.020
PM1k 1408-TS3A-485	<4.020	4.020
PM1k 1408-TS3A-ENT	<4.020	4.020
PM1k 1408-EM3A-485	<4.020	4.020
PM1k 1408-EM3A-ENT	<4.020	4.020
PM1k 1408-TR1A-485	<4.020	4.020
PM1k 1408-TR2A-485	<4.020	4.020
PM1k 1408-EM1A-485	<4.020	4.020
PM1k 1408-EM2A-485	<4.020	4.020
PM1k 1408-TR1A-ENT	<4.020	4.020
PM1k 1408-TR2A-ENT	<4.020	4.020
PM1k 1408-EM1A-ENT	<4.020	4.020
PM1k 1408-EM2A-ENT	<4.020	4.020

SECURTIY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following security issues. The following issues were reported by Vera Mens of Claroty Research - Team82.

CVE-2024-12371 IMPACT

A device takeover security issue exists in the affected product. This allows configuration of a new Policyholder user without any authentication via API. A policyholder user is the most privileged user that can perform edit operations. This creates admin users and performs a factory reset.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-420: Unprotected Alternate Channel

CVE-2024-12372 IMPACT

A denial-of-service and possible remote code execution security issue exists in the affected product. This issue results in corruption of the heap memory which may compromise the integrity of the system. This could allow a remote code execution or a denial-of-service attack.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-122: Heap-based Buffer Overflows

CVE-2024-12373 IMPACT

A denial-of-service security issue exists in the affected product. This results in a buffer-overflow which could cause a denial-of-service.

CVSS 3.1 Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that can't upgrade to one of the corrected version should use the security best practices.

· Security Best Practices

Glossary

Buffer Overflow: when a program writes more data to a buffer than it can hold, causing the excess data to overflow into adjacent memory locations

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1713 | Multiple Code Execution Vulnerabilities in Arena®

Published Date:

December 04, 2024

Last Updated:

December 19, 2024

CVE IDs:

CVE-2024-11155 , CVE-2024-11156 , CVE-2024-11158 , CVE-2024 -12130 , CVE-2024-11157, CVE-2024-12672, CVE-2024-11364, CVE-2024-12175

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 12/04/24

Last updated: August 6, 2025

Revision Number: 2.0

CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	Affected Software Version	Corrected in Software Version
Software - Arena	CVE-2024-11155	All versions 16.20.00 and prior	V16.20.06 and later
	CVE-2044-11156	All versions 16.20.03 and prior	V16.20.06 and later
	CVE-2024-11158	All versions 16.20.00 and prior	V16.20.06 and later
	CVE-2024 -12130	All versions 16.20.05 and prior	V16.20.06 and later
	CVE-2024-11157	All versions 16.20.06 and prior	V16.20.07 and later
	CVE-2024-12175	All versions 16.20.06 and prior	V16.20.07 and later
Software – Arena® 32 bit	CVE-2024-12672	All versions 16.20.07 and prior	n/a – see mitigations
Software – Arena® 32 bit	CVE-2024-11364	All versions 16.20.06 and prior	V16.20.07 and later

SECURITY ISSUE DETAILS

Rockwell Automation useS the latest version of the CVSS scoring system to assess the security issues. These security issues were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free” code execution security issue exists in the affected products. These could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this issue to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write” code execution security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

CVE-2024-11158 IMPACT

An “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

CVE-2024-12130 IMPACT

An “out of bounds read” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11157

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

CVE-2024-12672

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11364

Another “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

CVE-2024-12175

Another “use after free” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software should use the risk mitigations.

Do not load untrusted Arena® model files.
Hold the control key down when loading files to help prevent the VBA file stream from loading.

For information on how to mitigate Security Risks, use our suggested security best practices.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories

Glossary

DOE file: store model data using a Microsoft Compound File format, which acts as a container for several data streams

Out of bounds read vulnerability: when a program reads data from a memory location outside the bounds of a array or buffer

Out of bounds write code vulnerability: a software vulnerability where a program writes beyond the bounds of an allowed area of memory

Third-party vulnerability: a weakness or flaw in an external vendor, supplier, or service provider’s system, process, or software that can be exploited to compromise the security of a connected organization.

Uninitialized variable vulnerability: occurs when a program accesses a variable before it has been initialized

Use-After-Free (UAF) vulnerability: a type of memory corruption vulnerability that occurs when a program continues to access memory locations that have already been freed.

High

SD1712 | Third Party Remote Code Execution Vulnerability in Verve Reporting

Published Date:

November 14, 2024

Last Updated:

November 14, 2024

CVE IDs:

CVE-2024-37287

CVSS Scores (v3.1):

7.2

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 11/14/24

Last updated: 11/14/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8/10, v4.0: 8.4/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version(s)	Corrected in Software Revision
Verve Reporting	<v1.39	V1.39

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37287 IMPACT

Verve Reporting utilizes Kibana which contains a remote code execution vulnerability that allows an attacker with access to ML and Alerting connecting features as well as write access to internal ML to trigger a prototype pollution vulnerability, which can ultimately lead to arbitrary code execution. The code execution is limited to the container.

CVSS Base Score v3.1: 7.2/10

CVSS Vector CVSS: 3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.6/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-1395: Dependency on Vulnerable Third-Party Component

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Restrict Access to Built-in Verve Account
- Access to the built-in "verve" account should be limited to only administrators who need to perform administrative functions and should only be used for administrative purposes. Separate accounts should be used for day-to-day functions.
- Change the password for the built-in "verve" account if it has been shared.
Restrict Privileges for Other Accounts
- Verve Reporting comes with built-in roles to simplify the delegation of user permissions. Assigning a user the following two roles will allow them access to most Verve Reporting features (excluding user administration), but will not give them permission to execute this vulnerability.
  - all-all
  - feature-all-all
Disable Machine Learning
- Machine learning can be disabled in the Elasticsearch configuration override. Contact Verve support for assistance if needed.
  1. Connect to the Reporting server via SSH or terminal.
  2. Copy the Elasticsearch configuration override to the working directory.
    1. docker exec $(docker ps --filter "name=Reporting_elasticsearch" --format "{{ .ID }}") cat /usr/share/elasticsearch/config-templates/elasticsearch.override.yml > elasticsearch.override.yml
  3. Add the following line and save.
    1. xpack.ml.enabled: false
  4. Disable Verve Reporting from the Verve Software Manager.
  5. Update the Elasticsearch configuration override.
    1. docker config rm elasticsearchymloverride
      docker config create elasticsearchymloverride ./elasticsearch.override.yml
  6. Enable Verve Reporting from the Verve Software Manager and confirm that the application starts and "Machine Learning" is no longer listed in the main navigation bar under Analytics.
  7. Delete the copy of the Elasticsearch configuration override.
    1. rm elasticsearch.override.yml

Security Best Practices

High

SD1711 | Input Validation Vulnerability exists in Arena® Input Analyzer

Published Date:

November 14, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-6068

Products:

Arena® Input Analyzer

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 11/14/2024

Revision Number: 1.0

CVSS Score: 3.1: 7.3/10, 4.0: 7.0/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Arena® Input Analyzer	16.20.03 and prior	16.20.04

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6068 IMPACT

A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE 1284 Improper Validation of Specified Quantity in Input
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1709 | FactoryTalk View ME Remote Code Execution Vulnerability via Project Save Path

Published Date:

November 12, 2024

Last Updated:

November 12, 2024

CVE IDs:

CVE-2024-37365

Products:

FactoryTalk View Machine Edition

CVSS Scores (v3.1):

7.3

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: November 12^th, 2024

Last updated: November 12^th, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.3/10, v4.0: 7.0/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve our customer’s business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Revision	Corrected in Software Revision
FactoryTalk View ME	>= V14; when using default folders privileges	V15

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

· To enhance security and prevent unauthorized modifications to HMI project files, harden the Windows OS by removing the INTERACTIVE group from the folder’s security properties.

· Add specific users or user groups and assign their permissions to this folder using the least privileges principle. Users with read-only permission can still test run and run the FactoryTalk View ME Station.

· Guidance can be found in FactoryTalk View ME v14 Help topic: “HMI projects folder settings”. It can be opened through FactoryTalk View ME Studio menu “help\Contents\FactoryTalk View ME Help\Create a Machine Edition application->Open applications->HMI project folder settings”. Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-37365 IMPACT

A remote code execution vulnerability exists in the affected product. The vulnerability allows users to save projects within the public directory allowing anyone with local access to modify and/or delete files. Additionally, a malicious user could potentially leverage this vulnerability to escalate their privileges by changing the macro to execute arbitrary code.

CVSS 3.1 Base Score: 7.3/10

CVSS Vector: CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

Critical

SD1710 | FactoryTalk® Updater Multiple Vulnerabilities

Published Date:

November 12, 2024

Last Updated:

November 12, 2024

CVE IDs:

CVE-2024-10943, CVE-2024-10944, CVE-2024-10945

Products:

FactoryTalk Updater

CVSS Scores (v3.1):

9.1, 8.4, 7.3

CVSS Scores (v4.0):

9.1, 7.1, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 11/12/2024
Last Updated: 11/12/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
FactoryTalk® Updater – Web Client	CVE-2024-10943	v4.00.00	v4.20.00
FactoryTalk® Updater – Client	CVE-2024-10944	All version	V4.20.00
FactoryTalk® Updater – Agent	CVE-2024-10945	All version	V4.20.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-10943 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 9.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 9.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: CWE-922: Insecure Storage of Sensitive Information
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10944 IMPACT

A Remote Code Execution vulnerability exists in the affected product. The vulnerability requires a high level of permissions and exists due to improper input validation resulting in the possibility of a malicious Updated Agent being deployed.

CVSS 3.1 Base Score: 8.4
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.1
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Control access to the server where FactoryTalk® Updater is running.

· Click the ‘Scan’ button, which will update the database

CVE-2024-10945 IMPACT

A Local Privilege Escalation vulnerability exists in the affected product. The vulnerability requires a local, low privileged threat actor to replace certain files during update and exists due to a failure to perform proper security checks before installation.

CVSS 3.1 Base Score: 7.3
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.0
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-358: Improperly Implemented Security Check for Standard
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Critical

SD1708 | ThinManager® Multiple Vulnerabilities

Published Date:

October 25, 2024

Last Updated:

October 25, 2024

CVE IDs:

CVE-2024-10386, CVE-2024-10387

Products:

FactoryTalk ThinManager

CVSS Scores (v3.1):

9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7

Revision Number:

1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

ThinManager® Multiple Vulnerabilities

Published Date: 10/25/2024
Last Updated: 10/25/2024
Revision Number: 1.0
CVSS Score: Multiple, see below

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Version(s)

Corrected Version(s)

ThinManager®

11.2.0-11.2.9

12.0.0-12.0.7

12.1.0-12.1.8

13.0.0-13.0.5

13.1.0-13.1.3

13.2.0-13.2.2

14.0.0

11.2.10

12.0.8

12.1.9

13.0.6

13.1.4

13.2.3

14.0.1

Available here: ThinManager Downloads | ThinManager ®

VULNERABILITY DETAILS

The security of our products is important to us as your chosen industrial automation supplier. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. These vulnerabilities were discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-10386 IMPACT

An authentication vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in database manipulation.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-306: Missing Authentication for Critical Function
Known Exploited Vulnerability (KEV) database: No

CVE-2024-10387 IMPACT

A Denial-of-Service vulnerability exists in the affected product. The vulnerability could allow a threat actor with network access to send crafted messages to the device, potentially resulting in Denial-of-Service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.

If able, navigate to the ThinManager® download site and upgrade to a corrected version of ThinManager® .

Implement network hardening for ThinManager® Device(s) by limiting communications to TCP 2031 to only the devices that require connection to the ThinManager® .

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

High

SD1707 | ControlLogix Vulnerable to Denial of Service via CIP Messages

Published Date:

October 10, 2024

Last Updated:

October 10, 2024

CVE IDs:

CVE-2024-6207

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: October 10, 2024
Last updated: October 10, 2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5, v4.0: 8.7

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in firmware revision	Corrected in firmware revision
ControlLogix® 5580	V28.011	V33.017, V34.014, V35.013, V36.011 and later
ControlLogix® 5580 Process	V33.011	V33.017, V34.014, V35.013, V36.011 and later
GuardLogix 5580	V31.011	V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5380	V28.011	V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 2	V31.011	V33.017, V34.014, V35.013, V36.011 and later
Compact GuardLogix 5380 SIL 3	V32.013	V33.017, V34.014, V35.013, V36.011 and later
CompactLogix 5480	V32.011	V33.017, V34.014, V35.013, V36.011 and later
FactoryTalk® Logix Echo	V33.011	V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerability was reported to Rockwell Automation by Trevor Flynn.

CVE-2024-6207 IMPACT

A denial-of-service vulnerability exists in the affected products that will cause the device to result in a major nonrecoverable fault (MNRF) when it receives an invalid CIP request. To exploit this vulnerability a malicious user must chain this exploits with CVE 2021-22681 and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to connected devices including the workstation. To recover the controllers, a download is required which ends any process that the controller is running.

CVSS Base Score v3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are also encouraged to apply security best practices to minimize the risk of vulnerability.

Security Best Practices

ADDITIONAL RESOURCES

JSON CVE-2024-6207

High

SD1705 | PowerFlex 6000T CIP Security denial-of-service Vulnerability

Published Date:

October 07, 2024

Last Updated:

October 07, 2024

CVE IDs:

CVE-2024-9124

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/2024

Last Updated: 10/8/2024

Revision Number: 1.0
CVSS Score: 8.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Drives - PowerFlex 6000T	8.001, 8.002, 9.001	10.001

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9124 IMPACT

A denial-of-service vulnerability exists in the PowerFlex® 6000T. If the device is overloaded with requests, it will become unavailable. The device may require a power cycle to recover it if it does not re-establish a connection after it stops receiving requests.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Improper Check for Unusual or Exceptional Conditions
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CVE-2024-9124 JSON

High

SD1706 | Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date:

October 07, 2024

Last Updated:

October 10, 2024

CVE IDs:

CVE-2024-8626

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Revision Number:

2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Logix Controllers Vulnerable to Denial-of-Service Vulnerability

Published Date: October 8, 2024

Last updated: October 10, 2024

Revision Number: 2.0

CVSS Score: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
CompactLogix 5380 controllers	v33.011<	v33.015 and later for versions 33 v34.011 and later
Compact GuardLogix® 5380 controllers	v33.011<
CompactLogix 5480 controllers	v33.011<
ControlLogix 5580 controllers	v33.011<
GuardLogix 5580 controllers	v33.011<
1756-EN4TR	v3.002	4.001 and later

Mitigations and Workarounds

Customers using the affected versions are encouraged to upgrade to corrected firmware versions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Security Best Practices

VULNERABILITY DETAILS

CVE-2024-8626 IMPACT

Due to a memory leak, a denial-of-service vulnerability exists in the affected products. A malicious actor could exploit this vulnerability by performing multiple actions on certain web pages of the product causing the affected products to become fully unavailable and require a power cycle to recover.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.5/10 (high)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10 (high)

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 400 – Uncontrolled Resource Consumption

ADDITIONAL RESOURCES

JSON CVE-2024-8626

Medium

SD1704 | Improper Authorization Vulnerability in Verve® Asset Manager

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2024-9412

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Last updated: 10/8/24

Revision Number: 1.0

CVSS Score: v3.1: 6.8, v4.0: 8.4

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

Verve® Asset Manager

All versions < 1.38

V1.38

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-9412 IMPACT

An improper authorization vulnerability exists in the affected products that could allow an unauthorized user to sign in. While removal of all role mappings is unlikely, it could occur in the case of unexpected or accidental removal by the administrator. If exploited, an unauthorized user could access data they previously but should no longer have access to.

CVSS Base Score v3.1: 6.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.4/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-842: Placement of User into Incorrect Group

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

The presence of any mappings will help prevent this vulnerability from being exploited. If all mappings must be removed, manually removing previously mapped users is an effective workaround.

Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2024-9412

Critical

SD1703 | DataMosaix™ Private Cloud third-party Vulnerabilities

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2019-14855, CVE-2019-17543, CVE-2019-18276, CVE-2019-19244, CVE-2019-989, CVE-2019-9923

CVSS Scores (v3.1):

7.5, 8.1, 7.8, 7.5, 9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7, 9.3, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Revision Number: 1.0

CVSS Score: 3.1: 7.5, 8.1, 7.8, 9.8 4.0: 8.7, 9.3

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product Affected Product Affected Versions

DataEdgePlatform

DataMosaix™ Private Cloud <=7.07 v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2019-14855 IMPACT

The affected product utilizes GnuPG which contains a certificate signature vulnerability found in the SHA-1 algorithm. A threat actor could use this weakness to create forged certificate signatures. If exploited, a malicious user could view customer data.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-17543 IMPACT

The affected product utilizes LZ4 which contains a heap-based buffer overflow vulnerability in versions before 1.9.2 (related to LZ4_compress_destSize), that affects applications that call LZ4_compress_fast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 8.1 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-18276 IMPACT

The affected product utilizes shell.c which contains a vulnerability in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. A threat actor with command execution in the shell can use "enable -f" for runtime loading to gain privileges. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 7.8 CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-19244 IMPACT

The affected product utilizes SQLite 3.30.1 which contains a vulnerability in sqlite3Select in select.c that allows a crash if a subselect uses both DISTINCT and window functions and has certain ORDER BY usage. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9893 IMPACT

The affected product utilizes libseccomp, which contains a vulnerability in versions 2.4.0 and earlier that does not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE). This vulnerability could lead to bypassing seccomp filters and potential privilege escalations. If exploited, a malicious actor could perform a remote code execution.

CVSS 3.1 Base Score: 9.8 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.3 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

CVE-2019-9923 IMPACT

The affected product utilizes GNU Tar, which contains a vulnerability in pax_decode_header in sparse.c in versions before 1.32. pax_decode_header has a NULL pointer dereference when parsing certain archives that have malformed extended headers. If exploited, a malicious actor could perform a denial-of-service, which would require the use to restart the software to recover it.

CVSS 3.1 Base Score: 7.5 CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7 CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Dependency on Vulnerable third-party Component Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High

SD1702 | Sensitive Data Exposure and Escalating Privileges Vulnerabilities in DataMosaix™ Private Cloud

Published Date:

October 04, 2024

Last Updated:

October 04, 2024

CVE IDs:

CVE-2024-7952, CVE-2024-7953, CVE-2024-7956

CVSS Scores (v3.1):

7.5, 8.8, 8.1

CVSS Scores (v4.0):

7.5, 8.7, 7.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/8/24

Revision Number: 1.0
CVSS Score: v3.1: 7.5, 8.8 v4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Versions	Corrected in Software Version
DataEdgePlatform DataMosaix™ Private Cloud	<=7.07	v7.09

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7952 IMPACT

A data exposure vulnerability exists in the affected product. There are hardcoded links in the source code that lead to JSON files that can be reached without authentication. If exploited, a threat actor could view customer data.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: Exposure of Sensitive Information to an unauthorized Actor
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7953 IMPACT

A vulnerability exists in the affected products that allows a threat actor to create a project and become the administrator for it. If exploited, a threat actor could create, modify, and delete their own project.

CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Missing Authorization
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7956 IMPACT

A vulnerability exists in the affected products that allows a threat actor to gain access to user’s projects. To exploit this vulnerability the threat actor must have basic user privileges. If exploited, the threat actor can modify and delete the project.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0 Base Score: 7.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CWE: Incorrect Authorization
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.    

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

High

SD1701 | RSLogix™ 5 and RSLogix 500® Remote Code Execution Via VBA Embedded Script

Published Date:

September 16, 2024

Last Updated:

October 14, 2024

CVE IDs:

CVE-2024-7847

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: September 19, 2024

Last updated: September 19, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 8.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected software version	Corrected in software version
RSLogix 500®	All	n/a
RSLogix™ Micro Developer and Starter	All	n/a
RSLogix™ 5	All	n/a

Mitigations and Workarounds

Users using the affected software are encouraged to apply the following mitigations and security best practices, where possible.

· Deny the execution feature in FactoryTalk® Administration Console, when not needed, by navigating to “Policies”, selecting ‘”Enable/Disable VBA”, and then checking the “Deny” box to block VBA code execution.

· Save project files in a Trusted® location where only administrators can modify it and verify file integrity.

· Utilize the VBA editor protection feature, which locks the VBA code from viewing and editing by setting a password.

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported to us by Sharon Brizinov of Claroty Research - Team82.

A feature in the affected products enables users to prepare a project file with an embedded VBA script and can be configured to run once the project file has been opened without user intervention. This feature can be abused to trick a legitimate user into executing malicious code upon opening an infected RSP/RSS project file. If exploited, a threat actor may be able to perform a remote code execution. Connected devices may also be impacted by exploitation of this vulnerability.

CVE-2024-7847 IMPACT

CVSS Base Score 3.1: 7.7/10

CVSS Vector String 3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS Base Score 4.0: 8.8/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE: CWE-345 (Insufficient verification of data authenticity)

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-7847

High

SD1699 | 5015-U8IHFT Denial-of-Service Vulnerability via CIP Message

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45825

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
5015-U8IHFT	V1.011 and V1.012	V2.011

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45825 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Block communication to CIP class 883 if it is not required

· Block communication to CIP class 67 if it is not required

· Enforce proper network segmentation and routing controls

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45825

Critical

SD1698 | FactoryTalk® Batch View™ Authentication Bypass Vulnerability via shared secrets

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45823

CVSS Scores (v3.1):

8.1

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 8.1/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
FactoryTalk® Batch View™	2.01.00	3.00.00

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45823 IMPACT

An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication.

CVSS 3.1 Base Score: 8.1
CVSS 3.1 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45823

High

SD1700 | ThinManager® Code Execution Vulnerability

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2024-45826

CVSS Scores (v3.1):

6.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 6.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

ThinManager®

V13.1.0 - 13.1.2

V13.2.0 - 13.2.1

V13.1.3

V13.2.2

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45826 IMPACT

Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file.

CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45826

High

SD1697 | AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities

Published Date:

September 12, 2024

Last Updated:

November 11, 2024

CVE IDs:

CVE-2023-31102, CVE-2023-40481

CVSS Scores (v3.1):

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
AADvance® Trusted® SIS Workstation	2.00.01 and earlier	2.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Do not archive or restore projects from unknown sources.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2023-31102

· JSON CVE-2023-40481

Critical

SD1696 | FactoryTalk® View Site Edition Remote Code Execution Vulnerability via Lack of Input Validation

Published Date:

September 12, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-45824

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in Software Version
FactoryTalk® View Site Edition	V12.0, V13.0, V14.0	Patches available here

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-45824 IMPACT

A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue.

CVSS 3.1 Base Score: 9.8
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 9.2
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-77: Improper Neutralization of Special Elements used in a Command
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

· Navigate to the following link and apply patches, directions are on the link page

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· JSON CVE-2024-45824

High

SD1695 | Incorrect Privileges and Path Traversal Vulnerability in Pavilion8®

Published Date:

September 11, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-7960 , CVE-2024-7961

CVSS Scores (v3.1):

7.6, 7.2

CVSS Scores (v4.0):

8.8, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/24
Revision Number: 1.0
CVSS Score: 3.1: 7.6, 7.2 4.0: 8.8, 7.6

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Version	Corrected in Software Version
Pavilion8®	<V5.20	V6.0 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the vulnerabilities.

CVE-2024-7960 IMPACT

The affected product contains a vulnerability that allows a threat actor to view sensitive information and change settings. The vulnerability exists due to having an incorrect privilege matrix that allows users to have access to functions they should not.

CVSS 3.1 Base Score: 7.6
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVSS 4.0 Base Score: 8.8
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No

CVE-2024-7961 IMPACT

A path traversal vulnerability exists in the affected product. If exploited, the threat actor could upload arbitrary files to the server that could result in a remote code execution.

CVSS 3.1 Base Score: 7.2
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.6
CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CVE-2024-7960 JSON

CVE-2024-7961 JSON

High

SD1694 | OptixPanel™ Privilege Escalation Vulnerability via File Permissions

Published Date:

September 10, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-8533

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 9/12/2024

Last Updated: 9/12/2024

Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version

Corrected in Software Version

2800C OptixPanel™ Compact

4.0.0.325

4.0.2.116

2800S OptixPanel™ Standard

4.0.0.350

4.0.2.123

Embedded Edge Compute Module

4.0.0.347

4.0.2.106

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-8533 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing users to exfiltrate credentials and escalate privileges.

CVSS 3.1 Base Score: 7.5
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 7.7
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-269: Improper Privilege Management
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

JSON CVE-2024-8533

High

SD1693 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Vulnerable to DoS vulnerability via CIP

Published Date:

September 10, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-6077

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: 9/12/2024

Updated Date: 9/12/2024

Revision Number: 1.0

CVSS: v3.1: 7.4, 4.0: 8.3

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Family

First Known in Software/Firmware Version

Corrected in Software/Firmware Version

CompactLogix 5380

v.32 .011

v33.017, v34.014, v35.013, v36.011 and later

CompactLogix 5380 Process

v.33.011

v33.017, v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL 2

v.32.013

v33.017, v34.014, v35.013, v36.011 and later

Compact GuardLogix 5380 SIL 3

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

CompactLogix 5480

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

ControlLogix® 5580

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

ControlLogix® 5580 Process

v.33.011

v33.017, v34.014, v35.013, v36.011 and later

GuardLogix 5580

v.32.011

v33.017, v34.014, v35.013, v36.011 and later

1756-EN4

v2.001

v6.001 and later

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6077 IMPACT

A denial-of-service vulnerability exists in the affected products when specially crafted packets are sent to the CIP Security Object. If exploited the device will become unavailable and require a factory reset to recover.

CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers who are unable to upgrade to the corrected software versions are encouraged to apply the following risk mitigations.

Users who do not wish to use CIP security can disable the feature per device. See "Disable CIP Security" in Chapter 2 of "CIP Security with Rockwell Automation Products" (publication SECURE-AT001)

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability. Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6077

Critical

SD1692 | ThinManager® ThinServer™ Information Disclosure and Remote Code Execution Vulnerabilities

Published Date:

August 21, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7986, CVE 2024-7987, CVE 2024 -7988

CVSS Scores (v3.1):

5.5, 7.8, 9.8

CVSS Scores (v4.0):

6.8, 8.5, 9.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 8/22/24

Last updated: 8/22/24

Revision Number: 1.0

CVSS Score: v3.1: 5.5, 7.8, 9.8, v4.0: 6.8, 8.5, 9.3

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

ThinManager® ThinServer™

11.1.0-11.1.7
11.2.0-11.2.8
12.0.0-12.0.6
12.1.0-12.1.7
13.0.0-13.0.4
13.1.0-13.1.2
13.2.0-13.2.1

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by Nicholas Zubrisky of Trend Micro Security Research.

CVE-2024-7986 IMPACT

A vulnerability exists in the affected products that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory.

CVSS Base Score v3.1: 5.5/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS Base Score v4.0: 6.8/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

CVE-2024-7987 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. To exploit this vulnerability and a threat actor must abuse the ThinServer™ service by creating a junction and use it to upload arbitrary files.

CVSS Base Score v3.1: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource

CVE-2024-7988 IMPACT

A remote code execution vulnerability exists in the affected products that allows a threat actor to execute arbitrary code with System privileges. This vulnerability exists due to the lack of proper data input validation, which allows files to be overwritten.

CVSS Base Score v3.1: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score v4.0: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-20: Improper Input Validation

Mitigations and Workarounds

Customers using the affected software are encouraged to implement our suggested security best practices to minimize the risk of vulnerability.

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2024-7986

· JSON CVE 2024-7987

· JSON CVE 2024 -7988

High

SD1689 | AADvance® Standalone OPC-DA Server Code Execution Vulnerability via Vulnerable Component

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2018-1285, CVE-2006-0743

CVSS Scores (v3.1):

7.5, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: Please see below

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
AADvance® Standalone OPC-DA Server	v2.01.510	v2.02 and later

VULNERABILITY DETAILS

CVE IMPACT

An arbitrary code execution vulnerability exists in the affected product. The vulnerability occurs due to a vulnerable component, Log4Net v1.2, which has multiple vulnerabilities listed below:

CVE-2018-1285, CVSS score 7.5 - log4net config file does not disable XML external entities
- CVSS Base Score: 7.5
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-20: Improper Input Validation
- Known Exploited Vulnerability (KEV) database: None
CVE-2006-0743, CVSS score 5.3 - format string vulnerability in log4net
- CVSS Base Score: 5.3
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
- CWE-134: Use of Externally Controlled Format String
- Known Exploited Vulnerability (KEV) database: None

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2006-0743

JSON CVE-2018-1285

High

SD1687 | Authentication Bypass Vulnerability in DataMosaix™

Published Date:

August 13, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024-6078

CVSS Scores (v3.1):

9.1

CVSS Scores (v4.0):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: 8/13/2024

Updated Date: 8/13/2024
Revision Number: 1.0

CVSS: v3.1: 9.1, v4.0: 8.6

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
DataMosaix™ Private Cloud	V7.07 <	v7.09 or later

Mitigations and Workarounds

Customers using the affected software are encouraged to upgrade the DataMosaix™ Private Cloud software from V7.07 to V7.09. The application support team will work with respective customers to upgrade.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAIL

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6078 IMPACT

An improper authentication vulnerability exists in the affected product, which could allow a malicious user to generate cookies for any user ID without the use of a username or password. If exploited, a malicious user could take over the account of a legitimate user. The malicious user would be able to view and modify data stored in the cloud.

CVSS Base Score: 9.1
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Base Score: 8.6
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CWE-287: Improper Authentication
Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6078

High

SD1686 | ControlLogix/GuardLogix 5580 and CompactLogix/Compact GuardLogix® 5380 Controller Denial-of-Service Vulnerability via Input Validation

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7515

CVSS Scores (v3.1):

8.6

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: August 13, 2024
Last updated: September 13, 2024

Revision Number: 2.0

September 13, 2024 - Updated Affected Product and Solutions Table

CVSS Score: v3.1 8.6/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in firmware revision	Corrected in firmware revision
CompactLogix 5380	v28.011	v34.014, v35.013, v36.011 and later
ControlLogix 5580	v28.011	v34.014, v35.013, v36.011 and later
GuardLogix 5580	v31.011	v34.014, v35.013, v36.011 and later
Compact GuardLogix 5380 SIL2	v31.011	v34.014, v35.013, v36.011 and later
Compact GuardLogix 5380 SIL3	V32.013	v34.014, v35.013, v36.011 and later
CompactLogix 5480	V32.011	v34.014, v35.013, v36.011 and later

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations, if possible:

If PTP messages are not used, block at the network level, port UDP 319/320

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7515 IMPACT

A denial-of-service vulnerability exists in the affected products. A malformed PTP management packet can cause a major nonrecoverable fault in the controller.

CVSS 3.1 Base Score: 8.6
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: None

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-7515

High

SD1688 | FactoryTalk® View Site Edition Code Execution Vulnerability via File Permissions

Published Date:

August 13, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-7513

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: 8/13/2024
Last Updated: 8/15/2025
Revision Number: 2
CVSS Score: v3.1: 8.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® View SE	13.0	15.00

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

By default, all HMI server projects are saved in the HMI projects folder on the HMI server computer located at C:\Users\Public\Documents\RSView Enterprise\SE\HMI projects. To enhance security and prevent unauthorized modifications to these projects, you can tighten the Windows folder's security settings on the HMI server computer by following these steps:
- Remove the INTERACTIVE group from the folder’s security properties.
- Add specific users or user groups and assign their permissions to this folder as needed.
- If you assign read-only permission to those users or user groups, they can only view and will not be able to write to project files. Users with read-only permission can still test run and run the FactoryTalk® View SE client.
In Version 14: Open FactoryTalk® View Studio -> Help -> FactoryTalk® View SE Help -> In the Help file -> Security -> “HMI projects folder”

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7513 IMPACT

A code execution vulnerability exists in the affected product. The vulnerability occurs due to improper default file permissions allowing any user to edit or replace files, which are executed by account with elevated permissions.

CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
Known Exploited Vulnerability (KEV) database: No

ADDITIONAL RESOURCES

JSON CVE-2024-7513

High

SD1690 | GuardLogix/ControlLogix 5580 Controller denial-of-service Vulnerability via Malformed Packet Handling

Published Date:

August 13, 2024

Last Updated:

September 13, 2024

CVE IDs:

CVE-2024-40619

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: September 13, 2024

Revision Number: 2..0

September 13th, 2024 – Updated “Corrected in Firmware Versions”

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Version	Corrected in Firmware Version
ControlLogix® 5580	v34.011	v34.014, v35.011 and later
GuardLogix 5580	v34.011	v34.014, v35.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-40619 IMPACT

A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service.

CVSS 3.1 Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE-754: Improper Check for Unusual or Exceptional Conditions

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

High

SD1691 | Pavilion8® Unencrypted Data Vulnerability via HTTP protocol

Published Date:

August 13, 2024

Last Updated:

November 13, 2024

CVE IDs:

CVE-2024-40620

CVSS Scores (v3.1):

7.4

CVSS Scores (v4.0):

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: August 13, 2024
Last updated: August 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, v4.0: 5.3/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software revision
Pavilion8®	v5.20	v6.0

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Interactions between the Console and Dashboard take place on the same machine, the machine should exist behind a firewall and physical access should be limited to authorized personnel.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-40620 IMPACT

A vulnerability exists in the affected product due to lack of encryption of sensitive information. The vulnerability results in data being sent between the Console and the Dashboard without encryption, which can be seen in the logs of proxy servers, potentially impacting the data's confidentiality.

CVSS 3.1 Base Score: 7.4/10  

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CSVV 4.0 Base Score: 5.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CWE-311: Missing Encryption of Sensitive Data

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-40620

Medium

SD1684 | Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date:

August 12, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE 2024 7567

CVSS Scores (v3.1):

5.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Micro850/870 Vulnerable to denial-of-service Vulnerability via CIP/Modbus Port

Published Date: 8/13/24

Last Updated: 8/13/2024

Revision Number: 1.0

CVSS Score: v3.1: 5.3/10, v4.0: 6.9/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
PLC - Micro850/870 (2080 -L50E/2080 -L70E)	v20.011	v22.011

VULNERABILITY DETAILS

Rockwell Automation used the latest versions of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-7567 IMPACT

A denial-of-service vulnerability exists via the CIP/Modbus port in the affected products. If exploited, the CIP/Modbus communication may be disrupted for short duration.

CVSS Base Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS Base Score: 6.9
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply security best practices, if possible.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· CVE-2024-7567

Medium

SD1683 | DLL Hijacking Vulnerability Exists in Emulate3D™

Published Date:

August 12, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2024-6079

CVSS Scores (v3.1):

6.7

CVSS Scores (v4.0):

5.4

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date 8/13/2024

Updated Date: 8/13/2024

Revision Number: 1.0

CVSS: v3.1: 6.7 , 4.0: 5.4

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving your business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
Emulate3D™	17.00.00.13276	17.00.00.13348

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6079 IMPACT

A vulnerability exists in the affected product, which could be leveraged to execute a DLL Hijacking attack. The application loads shared libraries, which are readable and writable by any user. If exploited, a malicious user could leverage a malicious dll and perform a remote code execution attack.

CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS Base Score: 5.4
CVSS Vector: CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-610: Externally Controlled Reference to a Resource in Another Sphere
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the following risk mitigations , if possible:

· Update to the corrected software version, 17.00.00.13348.

· For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE-2024-6079

High

SD1682 | Chassis Restrictions Bypass Vulnerability in Select Logix Devices

Published Date:

July 31, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-6242

CVSS Scores (v3.1):

8.4

CVSS Scores (v4.0):

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: August 1, 2024

Last updated: August 29th, 2024

Revision Number: 2.0

August 29, 2024 - Updated Affected Products and Solution Chart for 1756-EN2T, 1756-EN2F, 1756-EN2TR, 1756-EN3TR

CVSS Score: 3.1: 8.4/10, 4.0:/8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
ControlLogix® 5580 (1756-L8z)	V28	V32.016, V33.015, V34.014, V35.011 and later
GuardLogix® 5580 (1756-L8zS)	V31	V32.016, V33.015, V34.014, V35.011 and later
1756-EN4TR	V2	V5.001 and later
1756-EN2T , Series A/B/C 1756-EN2F, Series A/B 1756-EN2TR, Series A/B 1756-EN3TR, Series A	v5.007(unsigned)/v5.027(signed)	No fix for Series A/B/C. Upgrade to Series D. No fix for Series A/B. Upgrade to Series C. No fix for Series A/B. Upgrade to Series C. No fix for Series A. Upgrade to Series B.
1756-EN2T, Series D 1756-EN2F, Series C 1756-EN2TR, Series C 1756-EN3TR, Series B 1756-EN2TP, Series A	1756-EN2T/D: V10.006 1756-EN2F/C: V10.009 1756-EN2TR/C: V10.007 1756-EN3TR/B: V10.007 1756-EN2TP/A: V10.020	V12.001 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities. Claroty reported the following vulnerability.

CVE-2024-6242 IMPACT

A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted® Slot feature in a ControlLogix® controller. If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis.

CVSS Base Score v3.1: 8.4/10 

CVSS Vector: CVSS:3.1 /AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H

CVSS Base Score v4.0: 7.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

CWE-420: Unprotected Alternate Channel

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected firmware and who are not able to upgrade to one of the corrected versions are encouraged to apply the following mitigation and security best practices, where possible.

· Limit the allowed CIP commands on controllers by setting the mode switch to the RUN position.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE 2024-6242

· System Security Design Guidelines

High

SD1681 | Privilege Escalation Vulnerability in Pavilion8®

Published Date:

July 16, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024-6435

CVSS Scores (v3.1):

8.8

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 16, 2024
Last updated: July 16, 2024

Revision Number: 1.0

CVSS Score: v3.1: 8.8/10, v4.0: 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Software Version(s)

Corrected in Software Revision

Pavilion8®

v5.15.00
v5.15.01
v5.16.00
v5.17.00
v5.17.01

v5.20.00

v6.0

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.  

Limit access to only users who need it.

Periodically review user access and privileges to confirm accuracy.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-6435 IMPACT

A privilege escalation vulnerability exists in the affected products which could allow a malicious user with basic privileges to access functions which should only be available to users with administrative level privileges. If exploited, an attacker could read sensitive data, and create users. For example, a malicious user with basic privileges could perform critical functions such as creating a user with elevated privileges and reading sensitive information in the “views” section.

CVSS 3.1 Base Score: 8.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

ADDITIONAL RESOURCES

JSON CVE-2024-6435

High

SD1680 | Major nonrecoverable fault in 5015 – AENFTXT

Published Date:

July 10, 2024

Last Updated:

November 20, 2024

Products:

CVE-2024-6089

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Major nonrecoverable fault in 5015 – AENFTXT

Published Date: 7/16/2024

Updated Date: 7/16/2024

Revision Number: 1.0

CVSS: v3.1: 7.5, 4.0: 8.7

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware revision

Corrected in firmware revision

5015 - AENFTXT

v2.011

v2.012

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6089 IMPACT

An input validation vulnerability exists in the affected products when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product.

CVSS Base Score: 8.7/10
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS Base Score: 7.5/10
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Update to the corrected firmware revision, v2.012.

For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.   

JSON CVE-2024-6089

High

SD1679 | Input Validation Vulnerability exists in the SequenceManager™ Server

Published Date:

July 10, 2024

Last Updated:

September 27, 2024

CVE IDs:

CVE-2024-6436

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 16, 2024

Last updated: October 1, 2024

Revision Number: 2.0

October 1, 2024 - Updated CVE Number.

CVSS Score: v3.1 7.5/10, v4.0 8.7/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Software Versions	Corrected in software version
SequenceManager™	<v2.0	v2.0 or later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6436 IMPACT

An input validation vulnerability exists in the affected products which could allow a malicious user to send malformed packets to the server and cause a denial-of-service condition. If exploited, the device would become unresponsive, and a manual restart will be required for recovery. Additionally, if exploited, there could be a loss of view for the downstream equipment sequences in the controller. Users would not be able to view the status or command the equipment sequences, however the equipment sequence would continue to execute uninterrupted.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-428: Unquoted Search Path or Element

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

· Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

· JSON CVE-2024-6436

Medium

SD1678 | Unsecured Private Keys in FactoryTalk® System Services

Published Date:

July 02, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-6325 , CVE-2024-6236

CVSS Scores (v3.1):

6.5, 5.9

CVSS Scores (v4.0):

6.0, 1.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: July 11, 2024

Last updated: July 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 6.5/10, 5.9/10 ; v4.0: 6.0/10, 1.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	Affected Version	Corrected Version
FactoryTalk® System Services (installed via FTPM)	v6.40	V6.40.01
FactoryTalk® Policy Manager (FTPM)	v6.40	V6.40.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-6325 IMPACT

The v6.40 release of FactoryTalk® Policy Manager allowed the private keys to be insecurely stored with read and execute privileges for the Windows group, ‘Everyone’. These keys are used to generate digital certificates and pre-shared keys. This vulnerability could allow a malicious user with access to the machine to obtain private keys. If obtained, a malicious user could impersonate resources on the secured network. For customers using FactoryTalk® Policy Manager v6.40 who mitigated CVE-2021-22681 and CVE-2022-1161 by implementing CIP security and did not update to the versions of the software that contain the remediation, this vulnerability could allow a threat actor to exploit CVE-2022-1161 and CVE-2022-1161.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 6.0/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE: CWE-269 Improper Privilege Management

CVE-2024-6236 IMPACT

An exposure of sensitive information vulnerability exists in the FactoryTalk® System Service. A malicious user could exploit this vulnerability by starting a back-up or restore process, which temporarily exposes private keys, passwords, pre-shared keys, and database folders when they are temporarily copied to an interim folder. This vulnerability is due to the lack of explicit permissions set on the backup folder. If private keys are obtained by a malicious user, they could impersonate resources on the secured network.

CVSS Base Score v3.1: 5.9/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS Base Score v4.0: 1.8/10

CVSS Vector String: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

CWE-269 Improper Privilege Management

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software are encouraged to implement the following steps to invalidate the existing vulnerable private keys/digital certificates and regenerate new secure ones.

· Clear CIP Security configurations from devices and from FactoryTalk® Policy Manager

· Update FactoryTalk® System Services and FactoryTalk® Policy Manager to v6.40.01

· Redeploy CIP Security Policy

Detailed steps are below (FactoryTalk System Services (FTSS) is updated through the installation of FactoryTalk Policy Manager (FTPM)

1) Remove deployed security policy from all devices using FactoryTalk® Policy Manager (FTPM):

a. Open FTPM.

b. Document all Zone’s security settings and all Conduit’s settings as you must re-create them after updating FTPM.

c. Change all devices port’s Policies > Zone values to the “Unassigned” Zone.

d. Delete all zones and conduits.

e. Deploy (CIP). Ensure that all endpoints were reset successfully.

f. [migrating from v6.40 only] Deploy (OPC UA). Ensure all endpoints were reset successfully.

i. For any OPC UA clients, perform whatever steps are required by those clients to remove the previously applied certificates.

g. Close FTPM

2) Delete the \FTSS_backup folder:

a. c:\ProgramData\Rockwell\RNAServer\Global\RnaStore\FTSS_Backup

3) Delete the \keystore folder:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\keystore

4) Delete any backup copies of the \keystore folder. They will be named the same as the \keystore folder but with a suffix appended to it, like:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ keystore_source_2024_04_25_12_25_38_541566

5) Delete the PSKs.json file:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\PSKs.json

6) Delete any backup copies of the PSKs.json file. They will be named the same as the PSKs.json file but with a suffix appended to it, like:

a. c:\ProgramData\Rockwell Automation\FactoryTalk System Services\ PSKs.json_source_2024_05_17_07_38_25_200356

7) Install FactoryTalk® Policy Manager version 6.40.01.

a. Restart the computer when prompted at the end of the install.

8) Open FTPM. FTPM will attempt to connect to the FactoryTalk® System Services web server before proceeding.

9) If FTPM could not successfully connect to FactoryTalk® System Services (FTSS), it is because the FTSS service hasn’t started yet. It will eventually start or else you can start the FTSS service manually in Windows Services.

10) Re-create the original Zones.

11) Move the devices from the unassigned Zone back to their original zones.

12) Re-create the original Conduits.

13) Deploy (CIP endpoints).

14) [migrating from v6.40 only] Deploy (OPC UA endpoints).

a. For any OPC UA client endpoints, manually apply the newly generated certificates from this deploy.

Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE 2024 6325

· JSON CVE 2024 6326

Critical

SD1677 | ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date:

June 20, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-5988 , CVE-2024-5989, CVE-2024-5990

CVSS Scores (v3.1):

9.8, 7.5

CVSS Scores (v4.0):

9.3, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

ThinManager® ThinServer™ Improper Input Validation Vulnerabilities

Published Date: June 25, 2024

Last updated: June 25, 2024

Revision Number: 1.0

CVSS Score: 3.1: 9.8/10, 7.5/10, 4.0: 9.3/10, 8.7 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in software version

Corrected in software version (Available Here)

ThinManager® ThinServer™

2024-5988

2024-5989

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

13.2.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.5

13.1.3

13.2.2

2024-5990

11.1.0

11.2.0

12.0.0

12.1.0

13.0.0

13.1.0

11.1.8

11.2.9

12.0.7

12.1.8

13.0.4

13.1.2

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations from the list below, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

· Update to the corrected software versions via the ThinManager® Downloads Site

· Limit remote access for TCP Port 2031 to known thin clients and ThinManager® servers.

· Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2024-5988 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke a local or remote executable and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5989 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to invoke SQL injection into the program and cause a remote code execution condition on the affected device.

CVSS Base Score: 9.8/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Base Score: 9.3/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

CVE-2024-5990 IMPACT

Due to an improper input validation, an unauthenticated threat actor can send a malicious message to a monitor thread within ThinServer™ and cause a denial-of-service condition on the affected device.

CVSS Base Score: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

· CVE-2024-5988 JSON

· CVE-2024-5989 JSON

· CVE-2024-5990 JSON

Critical

SD1676 | FactoryTalk® View SE v11 Information Leakage Vulnerability via Authentication Restriction

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37368

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

v11.0

v14.0

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37368 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without proper authentication verification.

CVSS 3.1 Base Score: 9.8/10  

CSVV 4.0 Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-37368

High

SD1675 | FactoryTalk® View SE v12 Information Leakage Vulnerability via Authentication Restriction

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37367

CVSS Scores (v3.1):

9.8

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 9.8/10, v4.0: 9.2/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

v12.0

V14.0 and later

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

It is recommended that users enforce proper access controls within the network and segment networks containing sensitive information using IPSec: https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1090456

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37367 IMPACT

A user authentication vulnerability exists in the affected product. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification.

CSVV 4.0 Base Score: 8.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-37367

High

SD1674 | FactoryTalk® View SE Local Privilege Escalation Vulnerability via Local File Permissions

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2024-37369

CVSS Scores (v3.1):

7.8

CVSS Scores (v4.0):

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: June 13, 2024

Last updated: June 13, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.8/10, v4.0: 8.5/10

The security of our products is important to us as your chosen industrial automation supplier.  This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

V12.0

v14

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.   

Use the Secure Install option when installing FactoryTalk® Services Platform.

Security Best Practices

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring systems to assess the following vulnerabilities.

CVE-2024-37369 IMPACT

A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.

CVSS 3.1 Base Score: 7.8/10  

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CSVV 4.0 Base Score: 8.5/10

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE-732: Incorrect Permission Assignment for Critical Resource

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-37369

High

SD1673 | Multicast Request Causes major nonrecoverable fault on Select Controllers

Published Date:

June 12, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE 2024-5659

CVSS Scores (v3.1):

7.4

CVSS Scores (v4.0):

8.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Published Date: June 11, 2024

Last updated: June 11, 2024

Revision Number: 1.0

CVSS Score: v3.1: 7.4/10, 4.0: 8.3/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware revision

Corrected in firmware revision

ControlLogix® 5580

V34.011

V34.014, V35.013, V36.011 and later

GuardLogix 5580

V34.011

V34.014, V35.013, V36.011 and later

1756-EN4

V4.001

V6.001 and later

CompactLogix 5380

V34.011

V34.014, V35.013, V36.011 and later

Compact GuardLogix 5380

V34.011

V34.014, V35.013, V36.011 and later

CompactLogix 5480

V34.011

V34.014, V35.013, V36.011 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

Rockwell Automation was made aware of a vulnerability that causes all affected controllers on the same network to result in a major nonrecoverable fault(MNRF/Assert). This vulnerability could be exploited by sending abnormal packets to the mDNS port If exploited, the availability of the device would be compromised.

CVE-2024-5659 IMPACT

CVSS Base Score v3.1: 7.4/10

CVSS Vector String: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score v4.0: 8.3/10

CVSS Vector String: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: CWE 670 – Always Incorrect Flow Implementation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply the risk mitigations, where possible.

· Users who do not use Automatic Policy Deployment (APD) should block mDNS port, 5353 to help prevent communication.

· Enable CIP Security. CIP Security with Rockwell Automation Products Application Technique

· Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE 2024 - 5659

SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Published Date:

May 21, 2024

Last Updated:

August 07, 2025

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats

Due to heightened world tensions and negative cyber activity, Rockwell Automation suggests customers take IMMEDIATE action. Customers should check if they have devices facing the public internet. If so, remove that connectivity for devices not designed for public internet connectivity.

Rockwell Automation has guidance for all devices not specifically designed for public internet connectivity. Users should never configure their devices to be directly connected to the public-facing internet. Removing that connectivity as a proactive step reduces the attack surface. This can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

Rockwell Automation and CISA (Cybersecurity and Infrastructure Security Agency) provide more information on attacks on public-internet-exposed assets. This includes information on how to identify exposed assets and disconnect them from the public internet.

Rockwell Automation suggests customers follow the security best practices if disconnection is not possible: Rockwell Automation | Security Best Practices [login required].

Customers should be aware of the following related CVE’s and ensure mitigations are in place.

CVE No.	Alert Code (ICSA)	Advisory Name and Link, URL
2021-22681	21-056-03	CISA \| Rockwell Automation Logix Controllers (Update A) https://www.cisa.gov/news-events/ics-advisories/icsa-21-056-03
2022-1159	22-090-07	CISA \| Rockwell Automation Studio 5000 Logix Designer https://www.cisa.gov/news-events/ics-advisories/icsa-22-090-07
2023-3595	23-193-01	CISA \| Rockwell Automation Select Communication Modules https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01
2023-46290	23-299-06	CISA \| Rockwell Automation FactoryTalk Services Platform https://www.cisa.gov/news-events/ics-advisories/icsa-23-299-06
2024-21914	24-086-04	CISA \| Rockwell Automation FactoryTalk View ME https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04
2024-21915	24-046-16	CISA \| Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-16
2024-21917	24-030-06	CISA \| Rockwell Automation FactoryTalk Service Platform https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-06

High

SD1671 | FactoryTalk® Remote Access™ Has Unquoted Executables

Published Date:

May 07, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-3640

CVSS Scores (v3.1):

7.7

CVSS Scores (v4.0):

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 14, 2024

Last updated: August 6, 2025

Revision Number: 1.0

CVSS Score: v3.1: 7.7/10, v4.0: 7.0

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® Remote Access™ (FTRA)

v13.5.0.174

V13.6

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-3640 IMPACT

An unquoted executable path exists in the affected products. This could result in remote code execution if exploited. When running the FTRA installer package, the executable path is not properly quoted. This could allow a threat actor to enter a malicious executable and run it as a System user. A threat actor needs admin privileges to exploit this.

CVSS Base Score v3.1: 6.5/10

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428: Unquoted Search Path or Element

CVSS Base Score v4.0: 7.0/10

CVSS Vector String 4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.

Security Best Practices

ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-3640

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Unquoted Executable Path: a vulnerability that occurs when a service is created with an executable path containing spaces and isn’t enclosed within quotes

Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

High

SD1670 | Datalog Function within in FactoryTalk® View SE Contains SQL Injection Vulnerability

Published Date:

May 07, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2024-4609

CVSS Scores (v3.1):

7.6

CVSS Scores (v4.0):

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 15, 2024

Last updated: August 6, 2025

May 22, 2024 - Updated corrected software versions

Revision Number: 2.0

CVSS Score: v3.1: 7.6/10, v4.0 8.8/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View SE

< 14

V11,12,13, 14 or later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

A security issue exists in the FactoryTalk® View SE Datalog function. This could allow a threat actor to inject a malicious SQL statement if the SQL database has no authentication in place or if legitimate credentials were stolen. The attack could result in information exposure, revealing sensitive information. A threat actor could then modify and delete the data in a remote database. An attack would only affect the HMI design time, not runtime.

CVE-2024-4609 IMPACT

CVSS v3.1 Base Score: 7.6

CVSS Vector String: CVSS 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0 Base Score: 8.8

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

CWE: CWE-20 Improper input invalidation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environmentally specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use security best practices.  

Security Best Practices

ADDITIONAL RESOURCE

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE-2024-4609

Glossary
HMI Design Time: the process of creating and designing Human-Machine Interface screens
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
SQL Statement: Used to communicate with databases. A statement is a command to be understood by the interpreter and executed by the SQL engine.
Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

High

SD1669 | FactoryTalk® Historian SE Vulnerable to AVEVA-2024-001 and AVEVA-2024-002

Published Date:

May 06, 2024

Last Updated:

November 19, 2024

CVE IDs:

CVE-2023-31274, CVE-2023-34348

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: May 9, 2024

Last updated: August 5, 2025

Revision Number: 1.0

CVSS Score: v3.1: 7.5/10, v4.0: 7.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Versions

Corrected in software version

FactoryTalk® Historian SE

< v9.0

v9.01 and later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2023-31274 IMPACT

FactoryTalk® Historian SE utilizes the AVEVA PI Server, which contains a security issue. This could allow an unauthenticated user to cause a partial denial-of-service condition. This happens in the PI Message Subsystem of a PI Server by consuming available memory. This exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this issue could cause FactoryTalk® Historian SE to become unavailable. This would requiring a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

CVE-2023-34348 IMPACT

FactoryTalk® Historian SE use the AVEVA PI Server. This contains a security issue that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server. This would result in a denial-of-service condition. This issue exists in FactoryTalk® Historian SE versions 9.0 and earlier. Use of this could cause FactoryTalk® Historian SE to become unavailable. This requires a power cycle to recover it.

CVSS Base Score v3.1: 7.5/10

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score v4.0: 7.7/10

CVSS Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

CWE: Dependency on Vulnerable third-party Component

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software should install FactoryTalk® Historian SE version 9.01 or higher as soon as feasible. For customers unable to upgrade to v9.0, defensive measures are available in the Rockwell article.

https://idp.rockwellautomation.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Drockwellautomation.custhelp.com%26RelayState%3Danswers%2Fanswer_view%2Fa_id%2F1150873

Customers should use our suggested security best practices to minimize the risks.

Security Best Practices

ADDITIONAL RESOURCES

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

PI Message Subsystem: A part of the PI System that handles logging and messaging. IT is responsible for managing PI Logs, which are binary files located in the PI/Log folder on a PI Server or PIPC/Log on clients and interfaced nodes

Critical

SD1668 | FactoryTalk® Production Centre Vulnerable to Apache ActiveMQ Vulnerability

Published Date:

April 18, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2023-4664

CVSS Scores (v3.1):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: April, 16, 2024

Last updated: April 16, 2024

Revision Number: 1.0

CVSS Score: 9.8 /10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Production Centre	10.0	11.03.00

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-4664 IMPACT

Apache ActiveMQ, a component utilized in FactoryTalk Production Centre, is vulnerable to Remote Code Execution. The vulnerability may allow a remote threat actor with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol. This could cause the broker to instantiate any class on the classpath.

CVSS Base Score: 9.8

CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 502 Deserialization of Untrusted Data

Known Exploited Vulnerability (KEV) database: Yes

Users can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Mitigations and Workarounds

Users using the affected software and who are not able to upgrade to one of the corrected versions are encouraged to apply security best practices, where possible.

· Update to the version that fixes the issue as detailed in this article.
· Follow the security recommendations in PN1592 for FTPC.
· Implement Security Best Practices

ADDITIONAL RESOURCES

· JSON CVE-2023-46604

Critical

SD1666 | ControlLogix® and GuardLogix® Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value

Published Date:

April 11, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-3493

CVSS Scores (v3.1):

8.6

CVSS Scores (v4.0):

9.2

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: April 11, 2024

Last updated: August 5, 2025

Revision Number: 2.0

May 2, 2024 - Added to products to Affected Products and Solutions section

CVSS Score:v.3.1 8.6/10, v.4.0 9.2/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in Firmware Revision

Corrected in Firmware Revision

ControlLogix® 5580

V35.011

V35.013, V36.011 and later

GuardLogix 5580

V35.011

V35.013, V36.011 and later

CompactLogix 5380

V35.011

V35.013, V36.011 and later

Compact GuardLogix 5380

V35.011

V35.013, V36.011 and later

1756-EN4TR

V5.001

V6.001 and later

ControlLogix 5580 Process

V35.011

V35.013, V36.011 and later

CompactLogix 5380 Process

V35.011

V35.013, V36.011and later

CompactLogix 5480

V35.011

V35.013, V36.011 and later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-3493 IMPACT

A specific malformed fragmented packet type can cause a Major Nonrecoverable Fault (MNRF). The affected product could become unavailable and require a manual restart to recover it. A MNRF could result in a loss of view and/or control of connected devices.

CVSS Base Score: 8.6/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS Base Score: 9.2/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that are not able to upgrade to one of the corrected versions should use the security best practices.  

Security Best Practices

ADDITIONAL RESOURCES

The link provides CVE information in Vulnerability Exploitability Exchange (VEX) format. This is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-3493

Glossary
Fragment Packet: may be generated automatically by devices that send large amounts of data
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly
Vulnerability Exploitability Exchange (VEX): a framework that allows software suppliers or other parties to assert the status of specific vulnerabilities in a particular product

SD1667 | Input/output Device Vulnerable to Major Nonrecoverable Fault

Published Date:

April 11, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-2424

Products:

5015-AENFTXT

CVSS Scores (v3.1):

7.5

CVSS Scores (v4.0):

8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: April 11, 2024

Last updated: April 17, 2024

Revision Number: 2.0

4/17/24 - Updated Affected Products and Solutions

CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in firmware version

Corrected in firmware version

5015-AENFTXT

v2.011

v2.012 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-2424 IMPACT

An input validation vulnerability exists among the affected products that causes the secondary adapter to result in a major nonrecoverable fault (MNRF) when malicious input is entered. If exploited, the availability of the device will be impacted, and a manual restart is required. Additionally, a malformed PTP packet is needed to exploit this vulnerability.

CVSS 3.1 Base Score: 7.5/10

CVSS Vector: CVSS: 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0 Base Score: 8.7/10

CVSS Vector: CVSS: 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Users using the affected software, who are not able to upgrade to one of the corrected versions, are encouraged to apply security best practices, where possible.

Security Best Practices

ADDITIONAL RESOURCES

The following link provides CVE information in Vulnerability Exploitability Exchange (VEX) format, which is machine readable and can be used to automate vulnerability management and tracking activities.

JSON CVE 2024-2424

High

SD1665 | Arena® Simulation Vulnerabilities

Published Date:

March 26, 2024

Last Updated:

October 16, 2024

CVE IDs:

CVE-2024-21912, CVE-2024-21913, CVE-2024-2929, CVE-2024-21918, CVE-2024-21919, CVE-2024-21920

Products:

Arena® Simulation Software

CVSS Scores (v3.1):

7.8, 4.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	CVE-2024-21912	16.00	16.20.03
	CVE-2024-21913
	CVE-2024-2929
	CVE-2024-21918
	CVE-2024-21919
	CVE-2024-21920	16.00	This issue is within the Microsoft dynamic library link file and will not be remediated. Do not open untrusted files from unknown sources to mitigate the issue

SECURITY ISSUE DETAILS

These security issues were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.

CVE-2024-21912 IMPACT

An arbitrary code execution security issue could let a threat actor insert unauthorized code into the software. This is done by writing beyond the designated memory area. This causes an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow security issue could allow a threat actor to insert unauthorized code into the software. This is done by overstepping the memory boundaries, which triggers an access violation. A threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2929 IMPACT

A memory corruption security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21918 IMPACT

A memory buffer security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory and triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21919 IMPACT

An arbitrary code execution vulnerability was located in memory location of this product. This could result in a threat actor leveraging a uninitialized pointer and passing it throughout the application. This could allow a threat actor to insert unauthorized code to the software resulting in undefined behaviors. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

CVE-2024-21920 IMPACT

A memory buffer security issue could allow a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and cause the application to crash. This would result in a denial-of-service condition. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

Customers using the affected software should use the risk mitigations and security best practices.

Do not open untrusted files from unknown sources.
For information on Security Risks for industrial automation control systems, customers should use our suggested security best practices to minimize the risks.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

ADDITIONAL RESOURCES

Glossary

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Memory Buffer: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior

Memory Corruption: occurs when a flaw in software leads to the modification of memory in unintended ways, potentially causing unexpected behavior or providing avenues for exploitation

Uninitialized Pointer: occurs when a program accesses or uses a pointer that has not been initialized. If the pointer contains an uninitialized value, it might not point to a valid memory location, leading to unpredictable behavior and potential security vulnerabilities

High

SD1664 | Denial-of-service and Input Validation Vulnerabilities in PowerFlex® 527

Published Date:

March 21, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-2425, CVE-2024-2426, CVE-2024-2427

Products:

PowerFlex® 527

CVSS Scores:

7.5, 8.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1: 7.5/10, v4.0: 8.7/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
PowerFlex® 527	v2.001.x <	n/a

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 and 4.0 of the CVSS scoring system to assess the following security issues.

CVE-2024-2425 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. The web server would then crash and need a manual restart to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2426 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527 due to improper input validation in the device. A disruption in the CIP communication could occur and a manual restart will be required by the user to recover it.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE – 120 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2427 IMPACT

A denial-of-service security issue exists in the PowerFlex® 527. This is due to improper traffic throttling in the device. If multiple data packets are sent to the device repeatedly the device will crash and require a manual restart to recover.

CVSS Base Score 3.1: 7.5/10

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Base Score 4.0: 8.7/10

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CWE: CWE-400: Uncontrolled Resource Consumption

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

There is no fix currently for this issue. Customers using the affected software should use the risk mitigations and security best practices.

Implement network segmentation confirming the device is on an isolated network.
Disable the web server, if not needed. The web server is disabled by default. Disabling this feature is available in v2.001.x and later.
Security Best Practices

ADDITIONAL RESOURCES

Glossary

CIP Communication: Common Industrial Protocol (CIP) is a common communication standard that is widely used in industrial automation. Comprises a series of protocols for communication between different devices and systems in automation technology

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Traffic Throttling: a method used to intentionally slow down internet speed or data transmission to manage network congestion and ensure fair usage among users

Medium

SD1663 | FactoryTalk® View ME on PanelView™ Plus 7 Boot Terminal lack Security Protections

Published Date:

March 21, 2024

Last Updated:

December 03, 2024

CVE IDs:

CVE-2024-21914

Products:

FactoryTalk® View ME

CVSS Scores (v3.1):

5.3

CVSS Scores (v4.0):

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: March 21, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: v3.1 5.3/10, v.4.0 6.9/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

First Known in software version

Corrected in software version

FactoryTalk® View ME

<v14

V11

V12

V13

V14

SECURITY ISSUE DETAILS

Rockwell Automation used CVSS v3.1 and v4.0 scoring system to assess the following security issues.

CVE-2024-21914 IMPACT

A security issue exists in the affected product. This allows a threat actor to restart the PanelView™ Plus 7 terminal remotely without security protections. This could lead to the loss of view or control of the PanelView™ product.

CVSS 3.1 Base Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS 4.0 Base Score: 6.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE: Improper security protection for remote restart action

Known Exploited Vulnerability (KEV) database: No

Users can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Mitigations and Workarounds

Customers using the affected software that are unable to upgrade to the corrected versions should use security best practices.

Security Best Practices

ADDITIONAL RESOURCES

JSON CVE 2024-21914

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Critical

SD1662 | FactoryTalk® Service Platform Elevated Privileges Vulnerability Through Web Service Functionality

Published Date:

February 14, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024-21915

Products:

FactoryTalk® Service Platform

CVSS Scores (v3.1):

9.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: February 15, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 9.0/10

The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and all business environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
FactoryTalk® Service Platform	<v2.74	Update to V2.74 or later

SECURITY ISSUE DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following security issues.

CVE-2024-21915 IMPACT

A privilege escalation security issue exists in FactoryTalk® Service Platform (FTSP). A threat actor with basic user group privileges could sign into the software and receive FTSP Administrator Group privileges. A threat actor could then read and modify sensitive data, delete data and render the FTSP system unavailable.

CVSS Base Score: 9.0
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:CC:H/I:H/A:H
CWE: CWE-279: Incorrect Execution-Assigned Permissions

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Mitigations and Workarounds

Customers using the affected software that cannot upgrade to the corrected versions should use mitigations and security best practices

Security Best Practices

ADDITIONAL RESOURCES

Glossary

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Privilege escalation: cyberattack technique where an attacker gains unauthorized access to higher-level privileges within a system, allowing them to perform actions that are typically restricted.

High

SD1661 | Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date:

January 30, 2024

Last Updated:

November 20, 2024

CVE IDs:

CVE-2024 21916

Products:

ControlLogix® 5570, GuardLogix® 5570, ControlLogix® 5570 Redundancy

CVSS Scores (v3.1):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Denial-of-service Vulnerability in ControlLogix® and GuardLogix® Controllers

Published Date: January 30, 2024

Last updated: 1.0

Revision Number: 1.0

CVSS Score: 8.6

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Firmware	Corrected in Firmware
ControlLogix® 5570	20.011	v33.016, 34.013, 35.012, 36.011 and later
GuardLogix® 5570	20.011	v33.016, 34.013, 35.012, 36.011 and later
ControlLogix® 5570 Redundancy	20.054_kit1	v33.053_kit1, 34.052_kit1, 35.052_kit1, 36.051_kit1 and later

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024 21916 IMPACT

A denial-of-service vulnerability exists in the affected products, listed above. If exploited, the product could potentially experience a major nonrecoverable fault (MNRF). The device will restart itself to recover from the MNRF .

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

JSON CVE 2024 21916

Critical

SD1660 | FactoryTalk® Service Platform Service Token Vulnerability

Published Date:

January 30, 2024

Last Updated:

December 04, 2024

CVE IDs:

CVE-2024 21917

Products:

FactoryTalk® Service Platform

CVSS Scores (v3.1):

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: January 30, 2024

Revision History

Version 1.0 - March 5th, 2024 *Updated Mitigations and Workarounds

Version 1.1 - July 18, 2025 - Updated for readability

Revision Number: 1.1

CVSS Score: 9.8/10

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in software version	Corrected in software version
FactoryTalk® Service Platform	<= v6.31	v6.40 or later

SECURITY ISSUE DETAILS

Rockwell Automation used CVSS v3.1 scoring system to assess the following security issues.

CVE - 2024 21917 IMPACT

A security issue exists in the affected product. This allows a malicious user to obtain the service token and use it for authentication on another FactoryTalk® Service Platform (FTSP) directory. This is due to the lack of digital signing between the FTSP service token and directory. A threat actor could potentially retrieve user information and modify settings without any authentication.

CVSS Base Score: 9.8/10 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: 347 Improper Verification of Cryptographic Signature

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

Customers using the affected software should use risk mitigations and our suggested security best practices to minimize the risks.

Customers updating to v6.40 or later should do one of the following steps:

Set the FactoryTalk Directory’s System Communications Type security policy to SOCKET.IO. This prevents FactoryTalk Services Platform from using the DCOM communication channel. When set to SOCKET.IO only v6.40, and later, FactoryTalk Directory clients can communicate with the FactoryTalk Directory server.
If the v6.40 (or later) FactoryTalk Directory server must support communication with legacy FactoryTalk Directory client versions, v6.31 and earlier,  System Communication Type setting should not be altered from AUTO or DCOM.
Instead, elevate DCOM Authentication Level to PACKET PRIVACY (‘6’). Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)

IMPORTANT! Two v 6.40 (or later) FactoryTalk Directory security policies can prevent legacy FactoryTalk Directory clients, v6.31 and earlier, from connecting with the FactoryTalk Directory server. Set both security policies Legacy to allow the connection.
The two security policies are the Service Token signature method and Encryption method.

Customers who are unable to update to v6.40 or later should apply the following:

Set DCOM authentication level to 6. This enables encryption of the service token and communication channel between the server and client. Please refer to Mitigating Microsoft DCOM Hardening Patch (CVE-2021-26414) for Affected Rockwell Automation Products (custhelp.com)
When it is not possible to update to v6.40 or later, enable verification of the publisher information (i.e., digital signature) of any executable attempting to use the FactoryTalk® Services APIs. This helps prevent a threat actor from calling the API to receive the service token. This setting can be changed from the Application Authorization node located within System Policies using the FactoryTalk® Administration Console application.
Security Best Practices

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

ADDITIONAL RESOURCES

JSON CVE 2024 21917

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

SD1659 | LP30/40/50 and BM40 Operator Interface Vulnerable to CODESYS Vulnerabilities

Published Date:

January 24, 2024

Last Updated:

December 01, 2024

CVE IDs:

CVE-2022-47378, CVE-2022-47379, CVE-2022-47380, CVE-2022-47381 , CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390, CVE-2022-47385 , CVE-2022-47392 , CVE-2022-47393

Products:

LP30 Operator Panel, LP40 Operator Panel, BM40 Operator Panel, LP50 Operator Panel

CVSS Scores (v3.1):

6.5, 8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: January 25, 2024

Last updated: January 25, 2024

Revision Number: 1.0

CVSS Score: 8.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)	First Known in Software Revision	Corrected in Software Revision
LP30 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
LP40 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
BM40 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2
LP50 Operator Panel	Codesys versions before V3.5.19.0	Codesys 3.5.19.2

VULNERABILITY DETAILS

The CODESYS Control runtime system is utilized in the affected ASEM™ (A Rockwell Automation Company) products and enables embedded or PC-based devices to be programmable industrial controllers. Such products contain communication servers for the CODESYS protocol to enable communication with clients like the CODESYS Development System.

These products have the following vulnerabilities:

CVE-2022-47378 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-1288: Improper Validation of Consistency within Input

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpFiletransfer component to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47379 IMPACT

CVSS Base Score: 8.8/10 (High)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-787: Out-of-bounds Write

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to memory, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47380, CVE-2022-47381 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpApp component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47382, CVE-2022-47383, CVE-2022-47384, CVE-2022-47386, CVE-2022-47387, CVE-2022-47388, CVE-2022-47389, CVE-2022-47390 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpTraceMgr

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47385 IMPACT

CVSS Base Score: 8.8/10 (High)

CWE-121: Stack-based Buffer Overflow

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

After successful authentication, specifically crafted communication requests can cause the CmpAppForce

component to write threat actor-controlled data to stack, which can lead to a denial-of-service condition, memory overwriting, or remote code execution.

CVE-2022-47392 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-1288: Improper Validation of Consistency within Input

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests with inconsistent content can cause the CmpApp/CmpAppBP/CmpAppForce components to read internally from an invalid address, potentially leading to a denial-of-service condition.

CVE-2022-47393 IMPACT

CVSS Base Score: 6.5/10 (Medium)

CWE-822: Untrusted Pointer Dereference

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

After successful authentication, specifically crafted communication requests can cause the cmpFiletransfer component to dereference addresses provided by the request for internal read access, which can lead to a denial-of-service situation.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to CODESYS version 3.5.19.2 which has been released to mitigate these issues.
Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

CODESYS Advisory

High

SD1658 | SD1658 | SIS Workstation and ISaGRAF Workbench Code Execution and Privilege Escalation

Published Date:

November 15, 2023

Last Updated:

November 15, 2023

CVE IDs:

CVE-2015-9268

Products:

Safety Instrumented System Workstation, ISaGRAF® Workbench

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First Known in Software Version	Corrected in Software Version
Safety Instrumented System Workstation	<= v1.2	v2.00 and later
ISaGRAF® Workbench	<= v6.6.9	v6.06.10 and later

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2015-9268 IMPACT

Due to the third-party vulnerabilities in Nullsoft Scriptable Install System (NSIS), the SIS Workstation and ISaGRAF® Workbench installer and uninstaller have unsafe implicit linking against Version.dll. Therefore, there is no protection mechanism in the wrapper function that resolves the dependency at an appropriate time during runtime. Also, the SIS workstation and ISaGRAF® Workbench uninstaller uses temporary folder locations that allow unprivileged local users to overwrite files. This allows a local attack in which the uninstaller can be replaced by a malicious program.

CVSS Base Score: 7.8/10

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: Improper Input Validation

Known Exploited Vulnerability (KEV) database:

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Security Best Practices

ADDITIONAL RESOURCES

CVE-2015-9268 JSON

Critical

SD1657 | FactoryTalk® Activation Contains Wibu CodeMeter Vulnerabilities

Published Date:

November 15, 2023

Last Updated:

November 19, 2024

CVE IDs:

CVE-2023-38545, CVE-2023-3935

Products:

FactoryTalk Activation Manager

CVSS Scores (v3.1):

7.9, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Published Date: November 14, 2023

Last updated: November 14, 2023

Revision Number: 1.0

CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
FactoryTalk Activation Manager	V4.00 (Utilizes Wibu-Systems CodeMeter <7.60c)	5.01

VULNERABILITY DETAILS

Rockwell Automation used version 3.1 of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-38545 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which internally use the libcurl in a version that is vulnerable to a buffer overflow attack if curl is configured to redirect traffic through a SOCKS5 proxy. A malicious proxy can exploit a bug in the implemented handshake to cause a buffer overflow. If no SOCKS5 proxy has been configured, there is no attack surface.

CVSS Base Score: 7.9

CVSS Vector: CVSS:3.1/ AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2023-3935 IMPACT

Rockwell Automation FactoryTalk Activation Manager and Studio 5000 Logix Designer uses the affected Wibu-Systems’ products which contain a heap buffer overflow vulnerability in Wibu CodeMeter Runtime network service up to version 7.60b that allows an unauthenticated, remote attacker to achieve RCE and gain full access of the host system.

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to FactoryTalk Activation Manager 5.01 which has been patched to mitigate these issues (Available versions here, search "activation")
For information on how to mitigate Security Risks on industrial automation control systems Additionally, we encourage the customer to implement our suggested security best practices to minimize risk of the vulnerability.

ADDITIONAL RESOURCES

High

PN1656 | FactoryTalk® View Site Edition Vulnerable to Improper Input Validation

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-46289

Products:

FactoryTalk® View Site Edition

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® View Site Edition	V11.0	v11.0 & v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46289 IMPACT
The affected product insufficiently validates user input, which could potentially allow threat actors to send malicious data bringing the product offline. If exploited, the product would become unavailable and require a restart to recover resulting in a denial-of-service condition.

CVSS Base Score: 7.5/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20: Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Install the patch that remediates the issue: BF29581 - Patch: External Service Interaction (HTTP), FactoryTalk View SE 11.0, 12.0 13.0.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-46289 JSON

High

PN1655 | FactoryTalk® Services Platform Elevated Privileges Vulnerability

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-46290

Products:

FactoryTalk® Services Platform

CVSS Scores (v3.1):

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 26, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This vulnerability was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments.

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Services Platform	v2.74	V2.80 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-46290 IMPACT
Due to inadequate code logic, a previously unauthenticated threat actor could potentially obtain a local Windows OS user token through the FactoryTalk® Services Platform web service and then use the token to log in into FactoryTalk® Services Platform . This vulnerability can only be exploited if the authorized user did not previously log in into the FactoryTalk® Services Platform web service.

CVSS Base Score: 8.1/10 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Install the respective FactoryTalk Services Version that remediates the issue.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-46290 JSON

High

PN1654 | Arena® Simulation Buffer Overflow Vulnerabilities

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-27854, CVE-2023-27858

Products:

Arena® Simulation Software

CVSS Scores (v3.1):

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	V16.00	16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

Critical

PN1653 | Stratix® 5800 and 5200 vulnerable to Cisco IOS XE Web UI Privilege Escalation (Active Exploit)

Published Date:

October 18, 2023

Last Updated:

December 10, 2024

CVE IDs:

CVE-2023-20198

Products:

Stratix® 5200, Stratix® 5800

CVSS Scores (v3.1):

7.2, 10

Known Exploited Vulnerability (KEV):

Yes

Corrected:

Yes

Workaround:

No

More Details Less Details

Published Date: 10/17/2023
Last updated: 02/14/2024
Revision Number: 2.0
Revision History: Updated Corrected in firmware revision
CVSS Score: 10/10

Rockwell Automation is aware of an actively exploited zero-day vulnerability affecting the Stratix® 5800 and the newly released Stratix® 5200 product. This vulnerability was reported by Cisco on October 16, 2023 and additional information can be found in their original disclosure. As of the time of publication, no patch is available for this vulnerability and multiple cases of active exploitation have been observed. While Rockwell Automation has no evidence of active exploitation against the Stratix® product line, this vulnerability was discovered by Cisco Talos during an incident response for a Cisco customer. This advisory will be updated, as remediation steps become available.

REVISION 1.1 UPDATE

Since publication of the original disclosure, the exploit code has become publicly available. Availability of exploit code reduces the technical barriers for threat actors to target the affected devices. Rockwell Automation has no evidence of active exploitation against the Stratix® product line currently. This advisory has been updated to include specific steps to take to create access control measures utilizing the Web UI. Rockwell Automation strongly encourages customers to follow the mitigation guidelines.

REVISION 2.0 UPDATE

Rockwell Automation has released a software update that remediates the vulnerabilities in the affected products. We strongly recommend customers update to the corrected firmware revision as soon as possible.

AFFECTED PRODUCTS AND SOLUTION

Affected Product	First known in firmware revision	Corrected in Firmware Revision
Stratix® 5200, 5800	All versions running Cisco IOS XE Software with the Web UI feature enabled	17.12.02

VULNERABILITY DETAILS

CVE-2023-20198 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability allows a remote, unauthenticated threat actor to create an account on a vulnerable system with privilege level 15 access. The threat actor could then potentially use that account to gain control of the affected system.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 10/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

CVE-2023-20273 IMPACT

Rockwell Automation is aware of active exploitation of a previously unknown vulnerability in the Web UI feature of Cisco IOS XE Software when exposed to the internet or to untrusted networks. This vulnerability could allow an authenticated, remote threat actor to inject commands with the privileges of root. This vulnerability is due to insufficient input validation. A threat actor could exploit this vulnerability by sending crafted input to the web UI. A successful exploit could allow the threat actor to inject commands to the underlying operating system with root privileges.

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 7.2/10 (high)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Known Exploited Vulnerability (KEV) database: Yes

Mitigations and Workarounds

Rockwell strongly encourages customers to follow guidance disabling Stratix® HTTP servers on all internet-facing systems.

To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.
Cisco Talos has provided Indicators of Compromise and Snort rules that can be found here.

REVISION 1.1 UPDATE

Access Control Lists should be enabled to only allow specific IP addresses to access the Web UI of the device. Detailed instructions on how to create the Access Control List is in QA67053.
When implementing access controls for these services, be sure to review the controls because there is the potential for an interruption in production services.

ADDITIONAL RESOURCES

High

PN1652 | PN1652 | FactoryTalk® Linx Vulnerable to Denial-of-Service and Information Disclosure

Published Date:

October 17, 2023

Last Updated:

October 17, 2023

CVE IDs:

CVE-2023-29464

Products:

FactoryTalk® Linx

CVSS Scores:

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 12, 2023

Affected Products

Affected Product	First Known in Revision	Corrected in Revision
FactoryTalk® Linx	v6.20	v6.20 & v6.30 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-29464 IMPACT

FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.

CVSS Base Score: 8.2/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions, referencing BF29637 - Patch: Hardening of the FactoryTalk Linx communications service for MobileView to authenticate and block improperly sized files, FactoryTalk Linx 6.20, 6.30.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

JSON CVE-2023-29464

Critical

PN1649 | PN1649 | Select Logix Communication Modules Vulnerable to Email Object Buffer Overflow

Published Date:

October 09, 2023

Last Updated:

October 09, 2023

CVE IDs:

CVE-2023-2262

Products:

ControlLogix Communication - Ethernet/IP

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving their business or production environments. This vulnerability is not related to PN1633 - Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules .

Affected Products

Affected Catalog	Series	Affected Firmware Version	Corrected in Firmware Version
1756-EN2T 1756-EN2TK 1756-EN2TXT	A, B, C	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.002	Update to >=11.003 or later
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.002	Update to >=11.003 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.002	Update to >=11.003 or later
1756-EN2F 1756-EN2FK	A, B	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN2F 1756-EN2FK	C	<=11.002	Update to >=11.003 or later
1756-EN3TR 1756-EN3TRK	A	<=5.008 and 5.028	Update to 5.009 and 5.029 or later
1756-EN3TR 1756-EN3TRK	B	<=11.002	Update to >=11.003 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2262 IMPACT
A buffer overflow vulnerability exists in select communication devices. If exploited, a threat actor could potentially leverage this vulnerability to perform a remote code execution. To exploit this vulnerability, a threat actor would have to send a maliciously crafted CIP request to device.

CVSS Base Score: 9.8/10
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121: Stack-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Restrict traffic to the SMTP port (25), if not needed.
Customers using the EN2/EN3 versions 10.x and higher can disable the email object, if not needed. Instructions can be found in the EtherNet/IP Network Devices User Manual (rockwellautomation.com), publication ENET-UM006.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Critical

PN1648 | PN1648 | Connected Components Workbench™ Vulnerable to CefSharp Vulnerabilities

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2020-16017, CVE-2022-0609, CVE-2020-16009, CVE-2020-16013, CVE-2020-15999

Products:

Connected Components Workbench (CCW)

CVSS Scores:

9.6, 8.8, 8.8, 8.8, 6.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product	Affected Versions	Corrected in Software Version
Connected Components Workbench™ (CCW)	Versions Prior to R21	R21 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2020-16017 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Google Chrome versions before 86.0.4240.198. If exploited, a remote threat actor could potentially perform a sandbox escape via a crafted HTML page.

CVSS Base Score: 9.6/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database: Yes

CVE-2022-0609 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a use after free vulnerability in Animation within Google Chrome before 98.0.4758.102. This vulnerability could potentially allow a remote threat actor to exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 416 – Use After Free

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-16009 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.18. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write & 843 Access of Resource Using Incompatible Type (‘Type Confusion”)

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-16013 IMPACT
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains an inappropriate implementation in V8 of Google Chrome before 86.0.4240.198. This vulnerability allows a remote threat actor to potentially exploit heap corruption via a crafted HTML page.

CVSS Base Score: 8.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: Yes

CVE-2020-15999
Connected Components Workbench utilizes CefSharp version 81.3.100 that contains a heap buffer overflow vulnerability in Freetype within Google Chrome before 86.0.4240.111. This vulnerability could allow a remote threat actor to potentially exploit heap corruption via a crafted HTML.

CVSS Base Score: 6.5/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: 787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: Yes

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Upgrade to version 21 or later.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Critical

PN1647 | PN1647 | PanelView™ 800 Vulnerable to CVE-2017-12652

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2017-12652

Products:

PanelView 800, PanelView Component Refresh (PanelView 800)

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - September 19, 2023

Executive Summary

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

Affected Products

Affected Product	First Known in firmware revision	Corrected in firmware revision
2711R-T10T	v3.011	v6.011
2711R-T7T
2711R-T4T

Vulnerability Details

An input/output validation vulnerability exists in a third-party component that the PanelView™ 800 utilizes. Libpng, which is PNG’s reference library, version 1.6.32 and earlier does not properly check the length of chunks against the user limit. Libpng versions prior to 1.6.32 are susceptible to a vulnerability which, when successfully exploited, could potentially lead to a disclosure of sensitive information, addition or modification of data, or a denial-of-service condition.
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVSS Base Score: 9.8/10
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to v6.011 or later that mitigates the issue.
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

JSON CVE- 2017-12652

Medium

PN1646 | PN1646 | KEPServer Enterprise Vulnerable to Multiple Vulnerabilities

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE 2023-29444, CVE 2023-29445, CVE 2023-29446, CVE 2023-29447

Products:

KEPServe Enterprise

CVSS Scores:

6.3, 6.3, 4.7, 5.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
KEPServer Enterprise	v11.00	Expected November 2023

Vulnerability Details

Rockwell Automation was notified by CISA of vulnerabilities discovered in Kepware® KEPServerEX (also known as PTC ThingWorx Industrial Connectivity), which affects Rockwell Automation’s KEPServer Enterprise product. Successful exploitation of these vulnerabilities could allow a threat actor to gain elevated privileges, execute arbitrary code, and obtain server hashes and credentials.

CVE 2023-29444 KEPServer Enterprise Uncontrolled Search Path Element
The installer application of KEPServerEX is vulnerable to DLL search order hijacking. This could allow an adversary to repackage the installer with a malicious DLL and trick users into installing the trojanized software. Successful exploitation could lead to code execution with administrator privileges.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29445 KEPServer Enterprise Uncontrolled Search Path Element
KEPServerEX binary is vulnerable to DLL search order hijacking. A locally authenticated adversary could escalate privileges to administrator by planting a malicious DLL in a specific directory.

CVSS Base Score: 6.3 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
CWE-427: Uncontrolled Search Path Element

CVE 2023-29446 KEPServer Enterprise Improper Input Validation
KEPServerEx is vulnerable to UNC path injection via a malicious project file. By tricking a user into loading a project file and clicking a specific button in the GUI, an adversary could obtain Windows user NTLMv2 hashes, and crack them offline.

CVSS Base Score: 4.7 /10 (Medium)
CVSS 3.1 Vector String: AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-20: Improper Input Validation

CVE 2023-29447 KEPServer Enterprise Insufficiently Protected Credentials
The KEPServerEX Configuration web server uses basic authentication to protect user credentials. An adversary could perform a man-in-the-middle (MitM) attack via ARP spoofing to obtain the web server's plaintext credentials.

CVSS Base Score: 5.7 /10 (Medium)
CVSS 3.1 Vector String: AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE-522: Insufficiently Protected Credentials

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the risk mitigations below and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Users should follow the directions in PTC’s secure configuration documentation.
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

Critical

PN1645 | PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2023-2071

Products:

FactoryTalk View Machine Edition

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product	First Known in Revision	Corrected in Revision
FactoryTalk View Machine Edition	v12.0	v12.0 & v13.0 patch

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. Rockwell Automation would like to thank Yuval Gordon, CPS Research, and the Microsoft Threat Intelligence Community for reporting this vulnerability to us.

CVE-2023-2071 IMPACT

FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files. By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.

CVSS Base Score: 9.8/10 (high)
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: 20 – Improper Input Validation

Risk Mitigation & User Action

Customers using the affected versions are encouraged to upgrade to corrected firmware revisions. We also strongly encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Install the security patches for the respective versions referencing BF29493 - Patch: FactoryTalk Linx CIP Vulnerability issue, FactoryTalk View ME 12.0, 13.0.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1642 | PN1642 | Pavilion8® Security Misconfiguration Vulnerability

Published Date:

October 05, 2023

Last Updated:

October 05, 2023

CVE IDs:

CVE-2023-29463

Products:

ControlLogix Communications - Ethernet/IP

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – September 12, 2023

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
Pavilion8®	v5.17	v5.20

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-29463 IMPACT

The JMX Console within the Pavilion is exposed to application users and does not require authentication. If exploited, a malicious user could potentially retrieve other application users’ session data and or log users out of their session.

CVSS Base Score: 8.8/10
CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: 287- Improper Authentication

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to v5.20
QA43240 - Recommended Security Guidelines from Rockwell Automation

If customers are unable to update to v5.20, please follow the instructions below to disable the vulnerability in v5.17.

Open the web.xml file in your Pavilion8® installation folder set during installation and go to Console\container\webapps\ROOT\WEB-INF, by default this would be under C:\Pavilion\Console\container\webapps\ROOT\WEB-INF.
Search for the text jmx-console-action-handler and delete the below lines from web.xml file:

<servlet>
<servlet-name>jmx-console-action-handler</servlet-name>
<servlet-class>com.pav.jboss.jmx.HtmlAdaptorServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>jmx-console-action-handler</servlet-name>
<url-pattern>/jmx-console/HtmlAdaptor</url-pattern>
</servlet-mapping>
Save the changes and close the file.
Restart Pavilion8® Console Service.
Logout and log back into the console and navigate to the URL http:// <FQDN>/jmx-console to confirm you are getting the error message HTTP Status 404 – Not Found.

Note: <FQDN> is your fully qualified domain name used for the Console login.

Additional Resources

CVE-2023-29463 JSON

High

PN1639 | PN1639 | Select Distributed I/O Communication Modules vulnerable to a Denial-of-Service Vulnerability

Published Date:

August 23, 2023

Last Updated:

August 23, 2023

CVE IDs:

CVE-2022-1737

Products:

1732E-OB16M12DR Series B, 1732E-IB16M12R Series B, 1734-AENTR , 1732E-OB16M12R Series B, 1732E-IB16M12DR Series B, 1732E-8X8M12DR Series B, 1738-AENTR Series A , 1732E-12X4M12P5QCDR Series A, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12QCR Series A, 1734-AENT, 1732E-12X4M12QCDR Series A, 1732E-16CFGM12P5QCR Series A, 1732E-16CFGM12R Series B, 1799ER-IQ10XOQ10 Series B, 1732E-16CFGM12P5QCWR Series B, 1732E-16CFGM12QCWR Series A

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 23, 2023

Affected Products

Affected Product	First Known in Firmware Version	Corrected in Firmware Version
1734-AENT/1734-AENTR Series C	<=7.011	7.013
1734-AENT/1734-AENTR Series B	<=5.019	5.021
1738-AENT/ 1738-AENTR Series B	<=6.011	6.013
1794-AENTR Series A	<=2.011	2.012
1732E-16CFGM12QCWR Series A	<=3.011	3.012
1732E-12X4M12QCDR Series A	<=3.011	3.012
1732E-16CFGM12QCR Series A	<=3.011	3.012
1732E-16CFGM12P5QCR Series A	<=3.011	3.012
1732E-12X4M12P5QCDR Series A	<=3.011	3.012
1732E-16CFGM12P5QCWR Series B	<=3.011	3.012
1732E-IB16M12R Series B	<=3.011	3.012
1732E-OB16M12R Series B	<=3.011	3.012
1732E-16CFGM12R Series B	<=3.011	3.012
1732E-IB16M12DR Series B	<=3.011	3.012
1732E-OB16M12DR Series B	<=3.011	3.012
1732E-8X8M12DR Series B	<=3.011	3.012
1799ER-IQ10XOQ10 Series B	<=3.011	3.012

Vulnerability Details

This issue was reported to Rockwell Automation by the Cybersecurity and Infrastructure Security Agency. The affected devices utilize the Pyramid Solutions EtherNet/IP Adapter kit and are could potentially be affected by the vulnerability.

CVE-2022-1737 IMPACT
Pyramid Solutions' affected products, the Developer and DLL kits for EtherNet/IP Adapter and EtherNet/IP Scanner may be vulnerable to an out-of-bounds write, which may allow an unauthorized threat actor to send a specially crafted packet that may result in a denial-of-service condition.

CVSS Base Score: 8.6
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
 CWE: CWE-787 Out-of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of vulnerability.

Customers should upgrade to the corrected firmware to mitigate the issues.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2022-1737 JSON

Critical

PN1638 | PN1638 | ThinManager® ThinServer™ Input Validation Vulnerabilities

Published Date:

August 17, 2023

Last Updated:

August 17, 2023

CVE IDs:

CVE-2023-2917, CVE-2023-2914, CVE-2023-2915

Products:

ThinManager ThinServer Input Validation Vulnerabilities

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 17, 2023

Affected Products

Affected Product	Vulnerability	First Known in Software Versions	Corrected in Software Versions
ThinManager® ThinServer™	CVE-2023-2914 CVE-2023-2915 CVE-2023-2917	11.0.0-11.2.6 11.1.0-11.1.6 11.2.0-11.2.6 12.0.0-12.0.5 12.1.0-12.1.6 13.0.0-13.0.2 13.1.0	11.0.7 11.1.7 11.2.8 12.0.6 12.1.7 13.0.3 13.1.1

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. This vulnerability was discovered and reported to Rockwell Automation by security researchers at Tenable Network Security.

CVE-2023-2914 IMPACT
Due to improper input validation, an integer overflow condition exists in the affected products. When the ThinManager processes incoming messages, a read access violation occurs and terminates the process. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 7.5/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: 20 Improper Input Validation

CVE-2023-2915 IMPACT
Due to improper input validation, a path traversal vulnerability exists when the ThinManager processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message.

CVSS Base Score: 7.5/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: 20 Improper Input Validation

CVE-2023-2917 IMPACT
Due to improper input validation, a path traversal vulnerability exists, via the file name field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message.

CVSS Base Score: 9.8/10
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE: 20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the risk of vulnerability.

Update to the corrected software versions.
Limit remote access for TCP Port 2031 to known thin clients and ThinManager servers.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1637 | PN1637 | Armor ™ PowerFlex ® Critical Fault Vulnerability

Published Date:

August 08, 2023

Last Updated:

August 08, 2023

CVE IDs:

CVE-2023-2423

Products:

Armor PowerFlex Critical Fault

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 8, 2023

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Armor™ PowerFlex®	1.003	2.001 or later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2423 IMPACT
A vulnerability was discovered in Armor™ PowerFlex® when the product sends communications to the local event log. Threat actors could exploit this vulnerability by sending an influx of network commands, causing the product to generate an influx of event log traffic at a high rate. If exploited, the product would stop normal operations and self-reset. The error code would need to be cleared prior to resuming normal operations.

CVSS Base Score: 8.6
 CVSS Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: CWE- 682 Incorrect Calculation

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected versions are encouraged to apply the below risk mitigations and implement our suggested security best practices to minimize risk of this vulnerability in their environments.

Update to the latest version of Armor™ PowerFlex® (2.001 or later).
Implement QA43240 - Recommended Security Guidelines from Rockwell Automation.

Additional Resources

JSON CVE-2023-2423

High

PN1634 | PN1634 | Kinetix® 5700 DC Bus Power Supply Series A – CIP Message Attack Could Cause Denial-Of-Service

Published Date:

July 18, 2023

Last Updated:

July 18, 2023

CVE IDs:

CVE-2023-2263

Products:

2198 Kinetix 5700 Drive

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 18, 2023

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Kinetix® 5700 DC Bus Power Supply – Series A	V13.001	V13.003

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2263 IMPACT
The Kinetix 5700 DC Bus Power Supply Series A is vulnerable to CIP fuzzing. The new ENIP connections cannot be established if impacted by this vulnerability, which prohibits operational capabilities of the device resulting in a denial-of-service attack.

CVSS Base Score: 7.5
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: CWE-400: Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible.

Upgrade to V13.003 or later which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Additionally, we encourage the customer to implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

CVE-2023-2263 JSON

High

PN1635 | PN1635 | ThinManager® ThinServer™ Path Traversal Vulnerability

Published Date:

July 18, 2023

Last Updated:

July 18, 2023

CVE IDs:

CVE-2023-2913

Products:

ThinManager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 18, 2023

Affected Products

Affected Product	First Known in software version	Corrected in software version
ThinManager® ThinServer™	13.0.0 - 13.0.2 13.1.0	13.0.3 or later 13.1.1 or later

Vulnerability Details

A vulnerability was discovered by Security Researchers at Flashpoint.io and reported to Rockwell Automation. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2913 IMPACT
An executable used in the affected products can be configured to enable an API feature in the HTTPS Server Settings. This feature is disabled by default. When the API is enabled and handling requests, a path traversal vulnerability exists that allows a remote actor to leverage the privileges of the server’s file system and read arbitrary files stored in it. A malicious user could exploit this vulnerability by executing a path that contains manipulating variables.

CVSS Base Score: 7.5
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
 CWE-23 Relative Path Traversal

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible. Additionally, we encourage customers to implement our suggested security best practices to minimize the potential risk of vulnerability.

Update to the corrected software versions.
Disable the API feature and use a service account with appropriate access for the application.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

High

PN1633 | PN1633 | Remote Code Execution and Denial-of-Service Vulnerabilities in Select Communication Modules

Published Date:

July 12, 2023

Last Updated:

July 12, 2023

CVE IDs:

CVE-2023-3596, CVE-2023-3595

Products:

Comms Modules

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 12, 2023

Executive Summary

Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules. We are not aware of current exploitation leveraging this capability, and intended victimization remains unclear. Previous threat actors cyberactivity involving industrial systems suggests a high likelihood that these capabilities were developed with an intent to target critical infrastructure and that victim scope could include international customers. Threat activity is subject to change and customers using affected products could face serious risk if exposed.

Rockwell Automation has provided patches for all affected products, including hardware series that were out of support. Detection rules have also been provided.

Exploitation of these vulnerabilities could allow malicious actors to gain remote access of the running memory of the module and perform malicious activity, such as manipulating the module’s firmware, inserting new functionality into the module, wiping the module’s memory, falsifying traffic to/from the module, establishing persistence on the module, and potentially affect the underlying industrial process. This could result in destructive actions where vulnerable modules are installed, including critical infrastructure.

Customers using the affected products are strongly encouraged to evaluate and implement the mitigations provided below. Additional details relating to the discovered vulnerabilities, including the products in scope, impact, and recommended countermeasures, are provided below.

Affected Products

Catalog	Series	Versions
1756-EN2T 1756-EN2TK 1756-EN2TXT	A,B,C	<=5.008 & 5.028
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.003
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.003
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 & 5.028
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.003
1756-EN2F 1756-EN2FK	A, B	<=5.008 & 5.028
1756-EN2F 1756-EN2FK	C	<=11.003
1756-EN3TR 1756-EN3TRK	A	<=5.008 & 5.028
1756-EN3TR 1756-EN3TRK	B	<=11.003
1756-EN4TR 1756-EN4TRK 1756-EN4TRXT	A	<=5.001

Vulnerability Details

CVE-2023-3595
Where this vulnerability exists in the 1756 EN2* and 1756 EN3* products, it could allow a malicious user to perform remote code execution with persistence on the target system through maliciously crafted CIP messages. This includes the ability to modify, deny, and exfiltrate data passing through the device.

CVSS score: 9.8/10 (Critical)
 CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
 CWE-787: Out-of-bounds Write

CVE-2023-3596
Where this vulnerability exists in the 1756-EN4* products, it could allow a malicious user to cause a denial of service by asserting the target system through maliciously crafted CIP messages.

CVSS Score: 7.5/10 (High)
 CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE-787: Out-of-bounds Write

Risk Mitigation & User Action

These vulnerabilities can be addressed by performing a standard firmware update. Customers are strongly encouraged to implement the risk mitigations provided below and to the extent possible, to combine these with the QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Catalog	Series	Affected Versions	Remediations
1756-EN2T 1756-EN2TK 1756-EN2TXT	A,B,C	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2T 1756-EN2TK 1756-EN2TXT	D	<=11.003	Update to 11.004 or later
1756-EN2TP 1756-EN2TPK 1756-EN2TPXT	A	<=11.003	Update to 11.004 or later
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	A, B	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2TR 1756-EN2TRK 1756-EN2TRXT	C	<=11.003	Update to 11.004 or later
1756-EN2F 1756-EN2FK	A, B	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN2F 1756-EN2FK	C	<=11.003	Update to 11.004 or later
1756-EN3TR 1756-EN3TRK	A	<=5.008 & 5.028	Update to 5.029 or later for signed versions (**recommended). Update to 5.009 for unsigned versions.
1756-EN3TR 1756-EN3TRK	B	<=11.003	Update to 11.004 or later
1756-EN4TR 1756-EN4TRK 1756-EN4TRXT	A	<=5.001	Update to 5.002 or later

** Rockwell Automation strongly recommends updating to signed firmware if possible. Once the module is updated to signed firmware (example 5.008 to 5.029), it is not possible to revert to unsigned firmware versions.

Mitigations

Organizations should take the following actions to further secure ControlLogix communications modules from exploitation.

Update firmware. Update EN2* ControlLogix communications modules to firmware revision 11.004 and update EN4* ControlLogix communications modules to firmware revision 5.002.
Properly segment networks. Given a cyber actor would require network connectivity to the communication module to exploit the vulnerability, organizations should ensure ICS/SCADA networks are properly segmented within the process structure as well as from the Internet and other non-essential networks.
Implement detection signatures. Use appended Snort signatures to monitor and detect anomalous Common Industrial Protocol (CIP) packets to Rockwell Automation devices.

Additionally, organizations should increase protections of ICS/SCADA networks by implementing at least the following mitigations:

Regularly back up devices to allow for reversion to a clean copy of firmware or a working project;
disable unused CIP objects on communications modules, such as unused CIP Email and Socket Objects;
block all traffic to CIP-enabled devices from outside the ICS/SCADA network using available security products; and
monitor CIP traffic for unexpected content or unusual packets lengths.

Potential Indicators of Compromise

System owners should ensure ICS/SCADA networks are baselined and regularly monitored for deviations in network activity. Specifically, systems owners can look for the following potential IOCs (Indicators of Compromise) for ControlLogix communications modules:

Unknown scanning on a network for Common Industrial Protocol (CIP)-enabled devices.
Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules, including the Email Object and non-public vendor-specified objects.
Arbitrary writes to communication module memory or firmware.
Unexpected firmware updates.
Unexpected disabling of secure boot options.
Uncommon firmware file names.

Detection Rules

The following Snort rules are intended to be run on a computer with network visibility of a ControlLogix communications module and can be used to detect traffic to a ControlLogix communications module that does not conform to the CIP specification as provided by ODVA (Open DeviceNet Vendors Association). While both the CIP Email and Socket Objects are capable of communicating over a network, they are intended to communicate over the backplane of a ControlLogix PLC (Programmable Logic Controller) and therefore should not be seen over the network. However, it is possible that site engineers could configure a communications module such that there is legitimate network traffic to and from CIP Email and Socket Objects, potentially resulting in false positives.

Snort 2 Rules and Snort 3 Rules are both attached below.

References

Attachments

File

CVE-2023-3595 Snort 2.rules

Attachments

File

CVE-2023-3595 Snort 3.rules

Critical

PN1630 | PN1630 | Enhanced HIM Vulnerable to Cross Site Request Forgery Attack

Published Date:

July 11, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2746

Products:

PowerFlex 7000, PowerFlex 6000

CVSS Scores:

9.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - July 11, 2023

Version 1.1 - September 9, 2025

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Enhanced HIM	v1.001	v1.002

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess thesecurity issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improvement of all business environments.

CVE-2023-2746 IMPACT
The API that the application uses is not protected sufficiently and uses incorrect Cross-Origin Resource Sharing (CORS) settings. As a result, it is vulnerable to a Cross Site Request Forgery (CSRF) attack. To use this, a threat actor would have to convince a user to click on an untrusted link. This is done through a social engineering attack or by performing a Cross Site Scripting Attack (XSS). Using a CSRF could lead to sensitive information disclosure and full remote access to the affected products.

CVSS Base Score: 9.6/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

 CWE: CWE-352: Cross-Site Request Forgery (CSRF)

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use risk mitigation and our suggested security best practices to minimize the potential risks.

Upgrade to version 1.002 which mitigates this issue.
Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2746 JSON

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Cross-Origin Resource Sharing: (CORS) an HTTP-header-based mechanism that allows a server to specify which origins (domains, schemes, or ports) are permitted to access its resources

Cross Site Request Forgery: (CSRF) an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

PN1631 | PN1631 | PowerMonitor™ 1000 – Cross-Site Scripting Vulnerability

Published Date:

July 11, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2072

Products:

1408 PowerMonitor 1000

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 – July 11, 2023

Version 1.1 - September 9, 2025

Affected Products

Affected Product (automated)	First Known in Software Revision	Corrected in Software Revision
PowerMonitor™ 1000	V4.011	V4.019

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues. The security of our products is important to us as your industrial automation supplier. This issue was found internally during routine testing and is being reported based on our commitment to transparency and to improving business environments.

CVE-2023-2072 IMPACT
The PowerMonitor 1000 contains stored cross site scripting security issues within the web page of the product. The pages do not require privileges to access and can be injected with code by an attacker. This could be used to leverage an attack on an authenticated user. The result being remote code execution and the complete loss of confidentiality, integrity, and availability of the product.

CVSS Base Score: 8.8

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigation and our suggested security best practices below to minimize the potential risks.

Upgrade to V4.019 which has been patched to mitigate these issues.
Security Best Practices: QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

CVE-2023-2072 JSON

Glossary

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

High

PN1627 | PN1627 | FactoryTalk® System Services affecting FactoryTalk® Policy Manager – Multiple Vulnerabilities

Published Date:

June 13, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2639, CVE-2023-2637, CVE-2023-2638

Products:

FactoryTalk Policy Manager, FactoryTalk System Services, FactoryTalk Services Platform

CVSS Scores:

4.1, 5.9, 7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - June 13, 2023

Version 1.1 - September 9, 2015 - Updated for better readability

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
FactoryTalk® Services Platform * Only if the following were installed: FactoryTalk® Policy Manager v6.11.0 FactoryTalk® System Services v6.11.0	6.11.00	6.30.00

Security Issue Details

Rockwell Automation received a report from Claroty regarding three security issues in FactoryTalk® System Services. If used, these security issues could result in information disclosure, loading of malicious configuration files, or the elevation of privileges from a user to an administrator.

FactoryTalk® Policy Manager is dependent upon FactoryTalk® System Services and both components must be installed together. Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues.

CVE-2023-2637 IMPACT
A hard-coded cryptographic key may lead to privilege escalation. FactoryTalk® System Services uses a hard-coded cryptographic key to generate administrator cookies. This security issue could allow a local, authenticated non-admin user to generate an invalid administrator cookie. This would give them administrative privileges to the FactoryTalk® Policy Manger database. This would allow the threat actor to make harmful changes to the database. The changes would then be used when a legitimate FactoryTalk® Policy Manager user deploys a security policy model. User interaction is required for this security issue to be successfully used.

CVSS Base Score: 7.3

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H.

 CWE: CWE-321: Use of Hard-coded Cryptographic Key

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2638 IMPACT
A improper authorization in FTSSBackupRestore.exe could lead to the loading of harmful configuration archives. FactoryTalk® System Services does not verify that a backup configuration archive is password protected. This security issue could allow a local, authenticated non-admin user to craft a harmful backup archive. This wouldn't have password protection and will be loaded by FactoryTalk® System Services as a valid backup when a restore procedure takes places. User interaction is required for this security issue to be used.

CVSS Base Score: 5.9

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

 CWE: CWE-287: Improper Authentication

Known Exploited Vulnerability (KEV) database: No

CVE-2023-2639 IMPACT
An origin validation error may lead to information disclosure. There is an underlying feedback mechanism of FactoryTalk® System Services that transfers the FactoryTalk® Policy Manager rules to relevant devices on the network. This does not verify that the origin of the communication is from a legitimate local client device. It could allow a threat actor to create a harmful website that will send a harmful script. The script can connect to the local WebSocket endpoint and wait for events as if it was a valid client device. If used, a threat actor could receive information including whether FactoryTalk® Policy Manager is installed. It could also allow the treat actor to view the entire security policy. User interaction is required for this to be used.

CVSS Base Score: 4.1

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

 CWE: CWE-346: Origin Validation Error

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and security best practices below.

Upgrade to 6.30.00 or later which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

CVE-2023-2637 JSON
CVE-2023-2638 JSON
CVE-2023-2639 JSON

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits

High

PN1628 | PN1628 | Apache Portable Runtime Vulnerability in FactoryTalk® Edge Gateway

Published Date:

June 13, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2021-35940, CVE-2017-12613

Products:

FactoryTalk Edge Gateway

CVSS Scores:

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - June 13, 2023

Version 1.1 - September 9, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Edge Gateway	v1.03.00	v1.04.00

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues. The security of our products is important to us as your industrial automation supplier. This irregularity was found internally during routine testing and is being reported based on our commitment to customer transparency and to improving production environments.

CVE-2021-35940 IMPACT
An out of bounds array read security issue was fixed in the apr_time_exp*() function in the Apache Portable Runtime v1.6.3 (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch causing version 1.7.0 to regress compared to 1.6.3. Therefore it is vulnerable to the same issue. If exploited, a threat actor could potentially read confidential data or cause the software to become unavailable.

CVSS Base Score: 7.1

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

 CWE: CWE 125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigation below and our security best practices to minimize the risks .

Update to v1.04.00 which mitigates the issue.
Security Best Practicies: QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE 2021 35940 JSON

High

PN1629 | PN1629 | Denial-of-Service Vulnerability in FactoryTalk® Transaction Manager

Published Date:

June 13, 2023

Last Updated:

June 13, 2023

CVE IDs:

CVE-2023-2778

Products:

FactoryTalk Transaction Manager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 13, 2023

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Transaction Manager	<=v13.10	BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

CVE-2023-2778 IMPACT
A denial-of-service (DoS) vulnerability exists in the affected products. This vulnerability can be exploited by sending a modified packet to port 400. If exploited, the application could potentially crash or experience a high CPU or memory usage condition, causing intermittent application functionality issues. The application would need to be restarted to recover from the DoS.

CVSS Base Score 7.5
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 CWE: CWE-400 Uncontrolled Resource Consumption

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations below, if possible. Additionally, we encourage our customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers should follow the instructions in BF29042 - Patch: Multiple issues, FactoryTalk Transaction Manager 13.00/13.10 to install the patch to mitigate the issue.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2778 JSON

High

PN1625 | PN1625 | Inadequate Encryption Vulnerability in ThinManager®

Published Date:

May 12, 2023

Last Updated:

September 09, 2025

CVE IDs:

CVE-2023-2443

Products:

ThinManager

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.2

Revision History

Version 1.0 - May 11, 2023
Version 1.1 - May 12, 2023 – Updated First Known in Software Version

Version 1.2 - September 9, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
ThinManager ®	v13.0.0 and v13.0.1	v13.0.2

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the security issues.

CVE-2023-2443 IMPACT
The affected product allows use of medium strength ciphers. If the client requests an insecure cipher, a threat actor could decrypt traffic sent between the client and server Application Programming Interface (API).

CVSS Base Score: 7.5/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

 CWE: Inadequate Encryption Strength

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the risk mitigations and our suggested security best practices found below to minimize risks.

Upgrade to v13.0.2.
Do not use 3DES encryption algorithm.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

Glossary

Application Programming Interface: (API) is a set of protocols and tools that allow different software applications to communicate with each other.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Medium Strength Ciphers: encryption methods that use key lengths of at least 64 bits and less than 112bits, or those with key lengths at least 56 bits and less than 112bits

High

PN1622 | PN1622 | ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

Published Date:

May 11, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-29030, CVE-2023-29022, CVE-2023-29028, CVE-2023-29027, CVE-2023-29023, CVE-2023-29026, CVE-2023-29029, CVE-2023-29031, CVE-2023-29024, CVE-2023-29025

Products:

ArmorStart

CVSS Scores:

4.7, 7.0, 5.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 8, 2025 - Updated for better readability

Affected Products

Affected Product (automated)	First Known in Firmware Revision	Corrected in Firmware Revision
ArmorStart® ST 281E	v2.004.06	N/A
ArmorStart® ST 284E	all	N/A
ArmorStart® ST 280E	all	N/A

Security Issue Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.

CVE-2023-29031 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29030 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29023 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful use of this.

CVSS Base Score: 7.0 (High)

 CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29024 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this.

CVSS Base Score: 5.5 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29025 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29026 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface.This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29027 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29028 IMPACT
A cross site scripting vulnerability was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023-29029 IMPACT
A cross site scripting security issue was discovered. Thist could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

CVE-2023 29022 IMPACT
A cross site scripting security issue was discovered. This could allow a threat actor with admin privileges and network access to view user data and modify the web interface. This could also cause interruptions to the availability of the web page.

CVSS Base Score: 4.7 (Medium)

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

 CWE: CWE-20 Improper Input Validation

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the below risk mitigation.

Disable the webserver during normal use. The webserver is disabled by default and should only be enabled to modify configurations. After modifying configurations, the web server should be disabled.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

Glossary

Cross Site Scripting Vulnerability: (XSS) a web security vulnerability that allows an attacker to inject malicious scripts into content from otherwise trusted websites

Critical

PN1623 | PN1623 | PanelView™ 800 – Remote Code Execution Vulnerabilities

Published Date:

May 11, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2019-16748, CVE-2020-36177

Products:

PanelView 800

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 8, 2025

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
PanelView™ 800 - 2711R-T4T	V5.011	V8.011
PanelView™ 800 - 2711R-T7T	V5.011	V8.011
PanelView™ 800 - 2711R-T10T	V5.011	V8.011

Vulnerability Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.

CVE-2020-36177 IMPACT
RsaPad_PSS in WolfSSL before version 4.6.0 has an out-of-bounds write. This is for certain relationships between key size and digest size. It is utilized in the PanelView™ 800 and could allow an attacker to accomplish a heap buffer overflow. This happens if the user has the email feature enabled in the project file where WolfSSL is used. The feature is disabled by default.

CVSS Base Score: 9.8

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

 CWE: CWE-787 Out-Of-Bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2019-16748 IMPACT
In WolfSSL through version 4.1.0, there is a missing sanity check of memory accesses in parsing ASN.1 certificate data while handshaking. There is a one-byte heap-based buffer over-read in CheckCertSignature ex in wolfcrypt/src/asn.c. WolfSSL that is utilized in the PanelView™ 800. This could allow an attacker to accomplish a heap buffer overflow if the user has the email feature enabled in the project file where WolfSSL is used. This feature is disabled by default.

CVSS Base Score: 9.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-125 Out-Of-Bounds Read

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software should use the below risk mitigations.

Upgrade to V8.011 which has been patched to mitigate these issues.
Ensure that the email feature is disabled (This is disabled by default).
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM00
Customers should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks.

Additional Resources

Glossary

ASN.1: Abstract Syntax Notation One is a standard interface description language for defining data structures that can be serialized and deserialized in a cross-platform way

Handshaking: the process of establishing a connection between two devices or systems before actual data transmission begins

Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.

Out-of-Bounds Write: when the software writes data past the end or before the beginning of an intended buffer, leading to data corruption, crashes or code execution

RsaPad_PSS: (RSA-Public Key Signature Scheme) a cryptographic method that uses the RSA algorithm for signing and verifying messages

WolfSSL: a small, portable SSL/TLS library designed for embedded system and RTOS environments

High

PN1626 | PN1626 | Cross Site Request Forgery in FactoryTalk® Vantagepoint®

Published Date:

May 11, 2023

Last Updated:

May 11, 2023

CVE IDs:

CVE-2023-2444

Products:

FactoryTalk VantagePoint

CVSS Scores:

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - May 11, 2023

Affected Products

Affected Product	First Known in Software Version	Corrected in Software Version
FactoryTalk® Vantagepoint®	<v8.40	V8.40 and later

Vulnerability Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-2444 IMPACT
A cross site request forgery vulnerability exists in the affected product. This vulnerability can be exploited in two ways. If an attacker sends a malicious link to a computer that is on the same domain as the FactoryTalk® Vantagepoint® server and a user clicks the link, the attacker could impersonate the legitimate user and send requests to the affected product.

Additionally, if an attacker sends an untrusted link to a computer that is not on the same domain as the server and a user opens the FactoryTalk® Vantagepoint® website, enters credentials for the FactoryTalk® Vantagepoint® server, and clicks on the malicious link a cross site request forgery attack would be successful as well.

CVSS Base Score: 7.1/10
 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
 CWE: CWE-345 Insufficient Verification of Data Authenticity

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are also encouraged to implement our suggested security best practices to minimize risk associated with the vulnerability.

Provide training about social engineering attacks, such as phishing.
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-2444 JSON

Critical

PN1624 | Open Ports Vulnerability in Kinetix 5500 EtherNet/IP Servo Drive

Published Date:

May 11, 2023

Last Updated:

October 16, 2024

CVE IDs:

CVE-2023-1834

Products:

2198 Kinetix 5500 Drive

CVSS Scores (v3.1):

9.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 11, 2023

Version 1.1 - September 10, 2025 - Updated for readability

Affected Products

Affected Product	First Known in Firmware Revision	Corrected in Firmware Revision
Kinetix 5500 manufactured between May 2022 and January 2023 *The manufacturing date of the drive is stated on the product label.	v7.13	Customers should upgrade to versions v7.14 or later to close the ports, which mitigates this issue.

Security Issue Details

Rockwell Automation uses the latest version of the CVSS scoring system to assess security issues..

CVE-2023-1834 IMPACT
Rockwell Automation was made aware that Kinetix® 5500 drives, manufactured between May 2022 and January 2023 that are running v7.13. These may have the telnet and FTP ports open by default. This could potentially allow attackers unauthorized access to the device through the open ports.

CVSS Base Score: 9.4/10

 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 

 CWE: CWE 284 Improper Access Control

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment specific categories.

Risk Mitigation & User Action

Customers using the affected drives should use the risk mitigations and our suggested security best practices to minimize risks..

Upgrade to v7.14
QA43240 - Recommended Security Guidelines from Rockwell Automation

Additional Resources

CVE-2023-1834 JSON

Glossary

FTP: (File Transfer Protocol) uses two primary ports for its operations: Port 21 and Port 20. These ports play distinct roles in facilitating file transfers between clients and servers.

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Telnet: Teletype Network and is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet

High

PN1621 | PN1621 | Arena® Simulation – Multiple Vulnerabilities

Published Date:

May 09, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-29460, CVE-2023-29462, CVE-2023-29461

Products:

Arena

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 - May 9, 2023

Version 1.1 - September 8, 2025 - Update for better readability

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	V16.00	16.20.01

Security Issue Details

Rockwell Automation used the latest version of the CVSS scoring system to assess the following security issues.

CVE-2023-29460 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code to the software by using a memory buffer overflow.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29461 IMPACT
An arbitrary code execution security issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2023-29462 IMPACT
An arbitrary code execution seurity issue was reported to Rockwell Automation that could allow a threat actor to use unauthorized arbitrary code on the software by using a memory buffer overflow in the heap.

CVSS Base Score: 7.8

 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 CWE: CWE-119 Incorrect Restriction of Operations in the Memory Buffer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.

Risk Mitigation & User Action

Customers using the affected software shoud use the below risk mitigations.

Upgrade to 16.20.01 which has been patched to mitigate these issues.
For information on how to mitigate Security Risks on industrial automation control systems (IACS) networks see the following publications:
- System Security Design Guidelines Reference Manual publication, SECURE-RM001
- Configure System Security Features User Manual, SECURE-UM001
Customer should use our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risks..

Additional Resources

Glossary

Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process

Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited

Memory Buffer Overflow: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior

Critical

PN1410 | PN1410 | FactoryTalk® Diagnostics Vulnerable to Remote Code Execution

Published Date:

April 10, 2023

Last Updated:

April 10, 2023

CVE IDs:

CVE-2020-6967

Products:

FactoryTalk Services Platform

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.3

Revision History

Version 1.0 – February 20, 2020. Initial Release
Version 1.1 – June 18, 2020. Pwn2Own Co-Discovery
Version 1.2 – February 10, 2023
Version 1.3 – April 10, 2023 – Added v6.31 Mitigations

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported a remote code execution (RCE) vulnerability in FactoryTalk® Services Platform to Rockwell Automation. Specifically, the vulnerability is found in the FactoryTalk Diagnostics subsystem, which provides customers the functionality to collect and view diagnostic messages from the FactoryTalk system for analysis and troubleshooting purposes.

FactoryTalk Diagnostics is utilized by many Rockwell Automation® products. We encourage customers to follow the steps provided to understand if they are affected.

Special thanks to rgod of 9sg working with ZDI to find this vulnerability. This vulnerability was co-discovered during the first ever Industrial Control Systems (ICS) Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI).

Affected Products

FactoryTalk Services Platform (v2.00 – v6.11)
The FactoryTalk Services Platform is delivered as part of the FactoryTalk suite of software from Rockwell Automation. Including most products branded FactoryTalk or Studio 5000® software.

Vulnerability Details

CVE-2020-6967: Remote Code Execution due to Vulnerable .NET Remoting Instance
FactoryTalk Diagnostics exposes a remote network port at tcp/8082, which may allow an attacker to execute arbitrary code with SYSTEM level privileges.

CVSS v3.1 Base Score: 9.8/CRITICAL CVSS Vector String: AV:N/AC:L/PR:N/UI:N/SC:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10268

Risk Mitigation & User Action

Rockwell Automation will resolve this vulnerability in the next release of the FactoryTalk Services Platform. Until then, customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the PN1354 - Industrial Security Advisory Index to stay notified.

Update: The vulnerability has been resolved with the release of FactoryTalk Services Platform V6.31.

Product Family	Suggested Actions
FactoryTalk Services Platform V6.31	No actions are necessary: Version supports use of Microsoft Windows Communication Foundation (WCF) which avoids the vulnerability. Version supports use of .NET Remoting (system default) with connections restricted to a local port; mitigating the vulnerability.

Product Family

Suggested Actions

FactoryTalk Services Platform V2.00 – V6.11

We have provided guidance for customers affected by this vulnerability to assess whether the service is installed, and steps for implementing the recommended mitigations. Customers should consider implementing the following measures based on their needs:

Upgrade to FactoryTalk Services Platform V6.31.
Recommended action for versions that predate v6.20 upgrade to version 6.20 or later; this version restricts connection settings to only the local port. If it is not possible to update:
Alternately for versions 2.74, 2.80, 2.81, 2.90, 3.00, 6.10, or 6.11, install the patch at BF24822 - Patch: FactoryTalk Diagnostics Local Reader service connection settings restricted to local access only, FactoryTalk Services 6.11, 6.10, 3.00, 2.90, 2.80, 2.81, 2.74 to restrict connections settings to only the local port.
For versions that predate v2.74 it is recommended to upgrade to a more recent version.
Disable the Remote Diagnostics Service if this service is not in use. Disabling this service does not result in data loss.
If the service is in use, use Windows Firewall configuration to help prevent remote connection to the effected port.
Steps to perform both solutions can be found in Risk mitigation for FactoryTalk Diagnostics remoting endpoint.

Note: A Snort rule for this issue is available in Snort’s developer rules (sid: 32474).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that .NET Remoting from unauthorized sources are blocked.
Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
Consider implementing network security protocols for software systems, such as IPSec. Documentation is available in QA46277 - Deploying FactoryTalk Software with IPsec, outlining guidelines for implementing IPSec with FactoryTalk applications.

Software/PC-based Mitigation Strategies

Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available in QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the PN1354 - Industrial Security Advisory Index for Rockwell Automation.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical

PN1618 | PN1618 | ThinManager Software Path Traversal and Denial-Of-Service Attack

Published Date:

March 21, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2023-27855, CVE-2023-27857, CVE-2023-27856, CVE-2023-28757

Products:

ThinManager

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.1

Revision History

Version 1.0 – March 21, 2023 – Initial Version

Version 1.1 - September 8, 2025 - Updated for better readability

Executive Summary

A security issue was discovered by Tenable Security Researchers and reported to Rockwell Automation. This was discovered in the ThinManager® ThinServer™ software. Successful use of this security issue could allow a threat actor to perform remote code execution on the target or crash the software.

Affected Products

ThinManager ThinServer software	Versions
	6.x – 10.x
	11.0.0 – 11.0.5
	11.1.0 – 11.1.5
	11.2.0 – 11.2.6
	12.0.0 – 12.0.4
	12.1.0 – 12.1.5
	13.0.0-13.0.1

Security Issue Details

CVE 2023-27855 ThinManager ThinServer Path Traversal Upload

CVSS Base Score: 9.8 /10 (Critical)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A path traversal exists when processing a message. An unauthenticated remote attacker could use this security issue to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker can overwrite existing executable files with attacker-controlled, malicious content. This could cause a remote code execution.

CVE 2023-27856 ThinManager ThinServer Path Traversal Download

CVSS Base Score: 7.5 /10 (High)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

A path traversal exists when processing a message of type 8 in the affected versions. An unauthenticated remote attacker can use this security issue to download arbitrary files on the disk drive where ThinServer.exe is installed.

CVE 2023-27857 ThinManager ThinServer Heap-Based Buffer Overflow

CVSS Base Score: 7.5/10 (High)

 CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A heap-based buffer over-read condition occurs when the message field indicates more data than is present in the message field. An unauthenticated remote attacker can use this security issue to crash ThinServer.exe due to a read access violation.

Risk Mitigation & User Action

Customers should use the risk mitigations provided and combine these mitigations with the general security guidelines to use the strategies simultaneously.

CVE-2023-27855 CVE-2023-27856 CVE-2023-27857	First Known Affected	Fixed Versions
	6.x – 10.x	These versions are retired. Please update to the supported version.
	11.0.0 – 11.0.5	Update to v11.0.6
	11.1.0 – 11.1.5	Update to v11.1.6
	11.2.0 – 11.2.6	Update to v11.2.7
	12.0.0 – 12.0.4	Update to v12.0.5
	12.1.0 – 12.1.5	Update to v12.1.6
	13.0.0 – 13.0.1	Update to v13.0.2

Additional Mitigations

If customers are unable to update to the patched version, the following mitigations should be put in place:

Limiting remote access to TCP port 2031 to known thin clients and ThinManager servers would limit some access to exploit this vulnerability.

For additional security best practices, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, to maintain your environment.

References

Glossary

Heap-Based Buffer Over-Read Condition: a type of buffer overflow flaw where the execution occurs in the heap data area. An over-read condition occurs when a program, while reading data from a buffer, overruns the buffer’s boundary and reads adjacent memory

Path Traversal: allows attackers to access files and directories that are stored outside the intended directory

Medium

PN1619 | Modbus TCP AOI Server Could Leak Sensitive Information

Published Date:

March 16, 2023

Last Updated:

October 16, 2024

CVE IDs:

CVE-2023-0027

Products:

1768/1769/5069 CompactLogix, 1756 ControlLogix

CVSS Scores (v3.1):

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – March 16, 2023

Executive Summary

Rockwell Automation received a report from researchers at Veermata Jijabai Technological Institute of a vulnerability that was contained within the Modbus TCP Server Add-On Instructions (AOI) for ControlLogix® and CompactLogix™ controllers. This vulnerability may allow an unauthorized user to gain information when the Modbus TCP Server AOI accepts a malformed request.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

Modbus TCP Server Add-On Instruction (AOI) for ControlLogix and CompactLogix controllers, used to connect to other devices via Modbus TCP protocol. Rockwell Automation Sample Code Library ID:101037.
- Customers who do not use the AOI with a controller are not impacted.
- The Modbus TCP Client AOI, that is a part of this sample code library, does not have this vulnerability.

Vulnerability Details

CVE-2023-0027 Rockwell Automation Modbus TCP Server Add-On Instruction Could Leak Sensitive Information
While the Modbus TCP Server AOI is in use, an unauthorized user could potentially send a malformed message causing the controller to respond with a copy of the most recent response to the last valid request. If exploited, an attacker could read the connected device’s Modbus TCP Server AOI information. It is impossible to exploit this vulnerability without knowing the Modbus address of the last valid request.

CVSS v3.1 Base Score: 5.3/10[medium]

 CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products.

Products Affected	First Known Version Affected	Corrected In
Modbus TCP Add-On Instructions (AOI) Sample Code	2.00.00	This issue has been mitigated in the following AOI versions: 2.04.00 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Disclaimer

This document is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this document is not intended to constitute application, design, software or other professional engineering advice or services. Before making any decision or taking any action, which might affect your equipment, you should consult a qualified professional advisor.

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS DOCUMENT AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL AUTOMATION BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOST PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED OFTHE POSSIBILITY OF SUCH DAMAGES.

ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. NOTE THAT CERTAIN JURISDICTIONS DO NOT COUNTENANCE THE EXCLUSION OF IMPLIED WARRANTIES; THUS, THIS DISCLAIMER MAY NOT APPLY TO YOU.

Medium

PN1554 | PN1554 | CompactLogix 5370 and ControlLogix 5570 Controllers Vulnerable to Denial of Service Conditions due to Improper Input Validation

Published Date:

February 07, 2023

Last Updated:

February 07, 2023

CVE IDs:

CVE-2020-6998

Products:

1769 Compact GuardLogix 5370, 1769 CompactLogix 5370

CVSS Scores:

5.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – March 2, 2021. Initial Release
Version 1.2 – February 7, 2023 - Updated affected products and risk mitigations section

Executive Summary

CompactLogix™ 5370 and ControlLogix^® 5570 Programmable Automation Controllers (PACs) contain a vulnerability in the connection establishment algorithm that could allow a remote, unauthenticated attacker to cause infinite wait times in communications with other products resulting in denial of service conditions. The Cybersecurity & Infrastructure Security Agency (CISA) reported this vulnerability to Rockwell Automation by way of an anonymous researcher.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

The following products are affected:

CompactLogix 5370
Compact GuardLogix 5370
ControlLogix 5570
ControlLogix 5570 redundancy
GuardLogix 5570

Vulnerability Details

CVE-2020-6998: Improper Input Validation Causes Denial of Service Condition
The connection establishment algorithm found in CompactLogix 5370 and ControlLogix 5570 does not sufficiently manage its control flow during execution, creating an infinite loop. This may allow an attacker to send specially crafted CIP™ packet requests to a controller, which may cause denial of service conditions in communications with other products.

CVSS v3.1 Base Score: 5.8/10 [MEDIUM]
 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2020-6998

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5370 ControlLogix 5570 GuardLogix 5570	20.011	33.011 and later
Compact GuardLogix 5370	28.011	33.011 and later
ControlLogix 5570 Redundancy	20.054	33.051 and later

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

General Mitigations

Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1616 | PN1616 | CVE-2019-5096 and CVE 2019-5097 Vulnerabilities Impact Multiple Products

Published Date:

January 27, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2019-5097, CVE-2019-5096

Products:

1768/1769/5069 CompactLogix, 1769 Compact I/O, 1732E ArmorBlock I/O, 1756 ControlLogix, 1769 CompactLogix Controllers, 1747 SLC 500, 1756/1769/5069/2080 Chassis-based I/O, 1769 Compact GuardLogix 5370, 1756/5069 GuardLogix

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Version

1.1

Revision History

Version 1.0 – January 27, 2023

Version 1.1 - September 8, 2025

Executive Summary

Rockwell Automation is aware of multiple products that use the GoAhead web server application that are affected by CVE 2019-5096 and CVE 2019-5097. These security issues could potentially have a high impact on the confidentiality, integrity and availability of the vulnerable devices. We have not received any notice of these security issues being usedin Rockwell Automation products.

Customers using the affected products should use the mitigations provided below. Additional details relating to the discovered scurity issues, including impact and recommended countermeasures are below.

Affected Products

CVE -2019-5096 and CVE 2019-5097

Catalog Number	Firmware Version
1732E-8CFGM8R/A	1.012
1732E-IF4M12R/A (discontinued)	1.012
1732E-IR4IM12R/A	1.012
1732E-IT4IM12R/A	1.012
1732E-OF4M12R/A	1.012
1732E-OB8M8SR/A	1.013
1732E-IB8M8SOER	1.012
1732E-8IOLM12R	2.011
1747-AENTR	2.002
1769-AENTR	1.001
5069-AEN2TR	3.011
1756-EN2TR/C	<=11.001
1756-EN2T/D	<=11.001
1756-EN2TSC/B (discontinued)	10.01
1756-EN2TSC/B	10.01
1756-HIST1G/A (discontinued)	<=3.054
1756-HIST2G/A(discontinued)	<=3.054
1756-HIST2G/B	<=5.103

CVE 2019 -5097

Catalog Number	Firmware Version
ControlLogix® 5580 controllers	V28 – V32*
GuardLogix® 5580 controllers	V31 – V32*
CompactLogix™ 5380 controllers	V28 – V32*
Compact GuardLogix 5380 controllers	V31 – V32*
CompactLogix 5480 controllers	V32*
1756-EN2T/D	11.001*
1756-EN2TR/C	11.001*
1765–EN3TR/B	11.001*
1756-EN2F/C	11.001*
1756-EN2TP/A	11.001*

* The security issue is only usable via the Ethernet port. It is not useable via backplane or USB communications.

Security Issue Details

Rockwell Automation was made aware of two third-party security issues that affect the GoAhead embedded web server. A critical security issue (CVE-2019-5096) exists in the way requests are processed by the web server. A threat actor could use this to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.

Additionally, a denial-of-service (DoS) vulnerability (CVE-2019 5097) exists in the GoAhead web server. To use this security issue, a threat actor would have to send specially crafted HTTP requests. This would trigger an infinite loop in the process and the targeted device could then crash.

CVE 2019-5096 EmbedThis GoAhead web server code execution vulnerability

CVSS Base Score:  9.8/10 (Critical) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE 2019-5097 EmbedThis GoAhead web server denial-of-service vulnerability

CVSS Base Score:  7.5/10 (High) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers should use the below mitigations.

Product	Suggested Actions
1732E-8CFGM8R/A	Refer to Additional Mitigations
1732E-IF4M12R/A	Refer to Additional Mitigations
1732E-IR4IM12R/A	Refer to Additional Mitigations
1732E-IT4IM12R/A	Refer to Additional Mitigations
1732E-OF4M12R/A	Refer to Additional Mitigations
1732E-OB8M8SR/A	Refer to Additional Mitigations
1732E-IB8M8SOER	Refer to Additional Mitigations
1732E-8IOLM12R	Refer to Additional Mitigations
1747-AENTR	Refer to Additional Mitigations
1769-AENTR	Update to 1.003 or later
5069-AEN2TR (discontinued)	Migrate to the 5069-AENTR
1756-EN2T/D	Update to 11.002 or later
1756-EN2TR/C	Update to 11.002 or later
1756-EN3TR/B	Update to 11.002 or later
1756-EN2F/C	Update to 11.002 or later
1756-EN2TP/A	Update to 11.002 or later
1756-EN2TSC/B	Refer to Additional Mitigations
1756-HIST1G/A (discontinued)	Update to series B v5.104 or C 7.100 or later
1756-HIST2G/A (discontinued)	Update to series B v5.104 or C 7.100 or later
1756-HIST2G/B	Update to 5.104 or later
1756-EN2F/C	Update to 11.002 or later
ControlLogix 5580 controllers	Update to V32.016 or later
GuardLogix 5580 controllers	Update to V32.016 or later
CompactLogix 5380 controllers	Update to V32.016 or later
Compact GuardLogix 5380 controllers	Update to V32.016 or later
CompactLogix 5480	Update to V32.016 or later

Additional Mitigations

If updating firmware is not possible or unavailable, customers should use the mitigations to help minimize risks.

Disable the web server, if possible. Review the product user manual for instructions, which can be found in the Rockwell Automation Literature Library.
- For 1732E, upgrade to the latest firmware to disable the web server.
Configure firewalls to not allow network communication through HTTP/Port 80.

Please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for more recommendations about maintaining your environment.

References

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

HTTP Requests: (Hypertext Transfer Protocol) primarily used to fetch resources such as HTML documents, images, videos, and scripts. When a user requests a web page, the browser sends an HTTP request to the server, which then responds with the requested resource

High

PN1613 | PN1613 | Product Notice 1613: Logix Controllers Vulnerable to a Denial-of-Service Vulnerability

Published Date:

January 25, 2023

Last Updated:

September 08, 2025

CVE IDs:

CVE-2022-3157

Products:

1756-L71S, Standard Controllers, 1756-L72S, 1756-L73S, 1769 CompactLogix 5370

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – December 15, 2022
Version 1.1 – January 17, 2022 – Updated risk mitigation section
Version 1.2 – January 25, 2023 – Updated risk mitigation section

Version 1.3 - September 8. 2025 - Updated for readability

Executive Summary

Rockwell Automation was made aware of a denial-of-service security issue that impacts several versions of our GuardLogix^® and ControlLogix^® controllers. Use of this security issue could lead to a breakdown in availability of the controller and/or a major non-recoverable fault (MNRF).

Customers using affected software versions should use the mitigations in this disclosure. Additional details relating to the discovered security issue, including the products in scope, impact, and recommended countermeasures, are below. We have not received any notice of this security issue being used in Rockwell Automation products.

Affected Products

CompactLogix™ 5370
Compact GuardLogix 5370
ControlLogix 5570
ControlLogix 5570 redundancy
GuardLogix 5570

Security Issue Details

CVE-2022-3157 Controllers vulnerable to Denial-of-Service Condition
A security issue exists in the Rockwell Automation controllers. It allows a malformed CIP™ request to cause a (MNRF) and a denial-of-service condition (DOS).

CVSS Base Score:  8.6/10 (High) 

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

This security issue has been addressed in newer versions of the products. Customers should use risk mitigations below and combine them with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5370 ControlLogix 5570 GuardLogix 5570	20.011	33.013 34.011 and later
Compact GuardLogix 5370	28.011	33.013 34.011 and later
ControlLogix 5570 Redundancy	20.054	33.052 34.051 and later

Reference

CVE-2022-3157

Glossary

Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations

Major Nonrecoverable Fault (MNRF): an error that occurs in a system or device and prevents it from recovering or functioning properly

High

PN1614 | PN1614 | Studio 5000 Logix Emulate Vulnerable to a SMB Insecurely Configuration Vulnerability

Published Date:

December 22, 2022

Last Updated:

December 22, 2022

CVE IDs:

CVE-2022-3156

Products:

RSLogix Emulate 5000 / Studio 5000 Logix Emulate

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 22, 2022

Executive Summary

Rockwell Automation was made aware of a misconfiguration vulnerability that affects Studio 5000® Logix Emulate™. Exploitation of this vulnerability could potentially allow a malicious user to perform a remote code execution that could impact the confidentiality, integrity and availability of the software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Studio 5000 Logix Emulate v.20 – 33

Vulnerability Details

CVE-2022-3156 Studio 5000 Logix Emulate SMB™ misconfiguration vulnerability
Users are granted elevated permissions on select product services. Due to this misconfiguration, a malicious user could potentially achieve remote code execution on the targeted software.

CVSS Base Score:  7.8/10 (High)
 CVSS:3.1/ AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the products. Customers are also directed towards the risk mitigations provided and are encouraged, when possible, to combine these with QA43240 - Recommended Security Guidelines from Rockwell Automation to employ multiple strategies simultaneously.

Vulnerabilities	Product	Suggested Actions
CVE-2022-3156	Studio 5000 Logix Emulate	Customers should upgrade to version 34.00 or later to mitigate this issue.

References

High

PN1611 | MicroLogix 1100 and 1400 Product Web Server Application Vulnerable to Denial-Of-Service Condition Attack

Published Date:

December 13, 2022

Last Updated:

October 16, 2024

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from security researchers at Veermata Jijabai Technological Institute (VJTI). If exploited, this vulnerability could cause a denial-of-service condition in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 B/C v. 21.007 and below
MicroLogix™ 1400 A v. 7.000 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the webserver of the Micrologix-1400 B PLC contains a vulnerability that may lead to a denial-of-service condition. The security vulnerability could be exploited by an attacker with network access to the affected systems by sending TCP packets to webserver and closing it abruptly which would cause a denial-of-service condition for the web server application on the device.

(CVE 2022-3166) MicroLogix Controllers Vulnerable to Clickjacking Attack

CVSS Base Score: 7.5 /10 (High)

 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
Configure firewalls to disallow network communication through HTTP/Port 80
Upgrade to the MicroLogix 800 or MicroLogix 850 as this device does not have the web server component

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

Additional Resources

CVE-2022-3166 JSON

High

PN1612 | MicroLogix 1100 and 1400 Web Server Application Vulnerable to Cross Site Scripting Attack

Published Date:

December 13, 2022

Last Updated:

October 16, 2024

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores (v3.1):

8.2

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 13, 2022

Executive Summary

Rockwell Automation received a vulnerability report from a security researcher from Georgia Institute of Technology. If exploited, this vulnerability could allow an attacker to submit remote code in the web server application on the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided below. We have not received any notice of this vulnerability previously being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 B/C v. 21.007 and below
MicroLogix™ 1400 A v. 7.000 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the MicroLogix 1100 and 1400 controllers contain a vulnerability that may give an attacker the ability to accomplish remote code execution. The vulnerability is an unauthenticated stored cross-site scripting vulnerability in the embedded webserver. The payload is transferred to the controller over SNMP and is rendered on the homepage of the embedded website.

(CVE 2022-46670) MicroLogix Controllers Vulnerable to Cross-Site Scripting Attack

CVSS Base Score: 8.2 /10 (High)

 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device).
Configure firewalls to disallow network communication through HTTP/Port 80
Upgrade to the Micro800 family as this device does not have the web server component.

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

Additional Resources

CVE-2022-46670 JSON

High

PN1609 | Logix Controllers Vulnerable to Denial-of-Service Attack

Published Date:

December 06, 2022

Last Updated:

October 16, 2024

CVE IDs:

CVE-2022-3752

Products:

1756-L83ES, Standard Controllers, 1756-L84ES, 1756-L81ES, 5069 CompactLogix, 1756-L82ES, 5069 Compact GuardLogix 5380

CVSS Scores (v3.1):

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 6, 2022

Executive Summary

Rockwell Automation discovered a vulnerability within our Logix Controllers. This vulnerability may allow an unauthorized user to cause a denial of service on a targeted device. Customers using affected versions of this firmware are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

CompactLogix 5380 controllers
Compact GuardLogix® 5380 controllers
CompactLogix 5480 controllers
ControlLogix 5580 controllers
GuardLogix 5580 controllers

Vulnerability Details

CVE-2022-3752 Rockwell Automation Logix Controllers are Vulnerable to a Denial-of-Service Attack
An unauthorized user could use a specially crafted sequence of Ethernet/IP messages, combined with heavy traffic loading to cause a denial-of-service condition resulting in a major non-recoverable fault. If the target device becomes unavailable, a user would have to clear the fault and redownload the user project file to bring the device back online and continue normal operation.

CVSS v3.1 Base Score: 8.6/10[HIGH]

 CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Products Affected	First Known Version Affected	Corrected In
CompactLogix 5380 Compact GuardLogix 5380 ControlLogix 5580 GuardLogix 5580	This vulnerability is present in firmware version 31.011 and later	This issue has been mitigated in the following firmware versions: 32.016 and later for versions 32 33.015 and later for versions 33 34.011 and later Customers should upgrade to a version listed above to mitigate this vulnerability
CompactLogix 5480	This vulnerability is present in firmware version 32.011 and later

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines Article in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

ADDITIONAL LINKS

Medium

PN1608 | FactoryTalk Live Data Communication Module Vulnerable to Man-In-The-Middle Attack

Published Date:

December 01, 2022

Last Updated:

October 16, 2024

Products:

LiveData

CVSS Scores (v3.1):

5.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – December 1, 2022

Executive Summary

Rockwell Automation received a report from Guidepoint Security regarding a security vulnerability discovered within the FactoryTalk® Live Data Communication Module contained within the FactoryTalk Services Platform. Due to the use of a cleartext protocol in this module, malicious actors could conduct Address Resolution Protocol spoofing resulting in loss of integrity of the traffic. This could allow the attacker to view and modify unauthorized packets and potentially deceive the user into seeing false data on the human machine interface.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the issue, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk LiveData Communication Module (Contained within FactoryTalk Services Platform) - All versions

Vulnerability Details

FactoryTalk LiveData Communication Module vulnerable to man-in-the-middle attack
An unauthenticated attacker with network access can accomplish a man-in-the-middle attack utilizing the clear text protocol of the FactoryTalk LiveData Communication Module and modify traffic leading to a complete loss of integrity for the products affected by the vulnerability. This condition could result in the operator at the human machine interface seeing manipulated data on the screen potentially breaking the integrity of the data that is seen.

CVSS v3.1 Base Score: 5.9/10[MEDIUM]

 CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to setup the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Suggested Actions

Customers should setup IPsec to mitigate this issue as detailed in the QA46277 - Deploying FactoryTalk Software with IPsec Knowledgebase article.

General Security Guidelines

If customers are unable to implement IPsec, it is recommended that the below guidelines be adhered to as they provide strong mitigations against this type of attack.

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls to help ensure that unused or unnecessary protocols from unauthorized sources are blocked. For more information on TCP/UDP ports and protocols used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCPUDP Ports Used by Rockwell Automation Products.
Locate control system networks and devices behind firewalls and isolate them from the business network.
Consult the product documentation for specific features, (e.g. hardware keyswitch settings) which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances.

General security guidelines can be found in the QA43240 - Recommended Security Guidelines from Rockwell Automation in our Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

PN1354 - Industrial Security Advisory Index

Critical

PN1576 | PN1576 | FactoryTalk® Activation Manager and Studio 5000 Logix Designer® contain Wibu Codemeter vulnerabilities.

Published Date:

November 17, 2022

Last Updated:

November 17, 2022

CVE IDs:

CVE-2021-20094, CVE-2021-20093, CVE-2021-41057

Products:

FactoryTalk Activation, RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

7.5, 9.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – August 6, 2021

Revision History

Revision Number

2.0

Revision History

Version 2.0 - August 11, 2021 – Removed modified score

Revision History

Revision Number

3.0

Revision History

Version 3.0 – November 22, 2022

Executive Summary

Rockwell Automation is impacted by advisory ICSA-21-210-02 which contains two vulnerabilities targeting Wibu-Systems AG. These vulnerabilities impact FactoryTalk^® Activation Manager and Studio 5000 Logix Designer^®. If successfully exploited, these vulnerabilities may allow the reading of data from the heap of the CodeMeter Runtime network server or result in a crash of the CodeMeter Runtime Server (i.e., CodeMeter.exe).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® Activation Manager v4.00 to v4.05.02
- Includes Wibu-Systems AG CodeMeter v7.20a and earlier
Studio 5000 Logix Designer® v23.00.01 to v33.00.02

Vulnerability Details

CVE-2021-20093: CWE-126

FactoryTalk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems AG CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime Network Server to send back packets containing data from the heap.

Wibu-Systems AG score:

CVSS v3.1 Base Score: 9.1/10 Critical
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2021-20094: CWE-126

Factory Talk Activation Manager and Studio 5000 Logix Designer: An issue exists in the Wibu-Systems CodeMeter Runtime that allows a remote, unauthenticated attacker to send a specially crafted packet, which could result in crashing the server or direct the CodeMeter Runtime CmWAN server to send back packets containing data from the heap

Wibu-Systems AG score:

CVSS v3.1 Base Score: 7.5/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

-------------------UPDATE: 22 Nov 2022----------------------

CVE-2021-41057: CWE-269

A local attacker could cause a Denial of Service by overwriting existing files on the affected system.

Wibu-Systems AG Score:
CVSS V3.1 Base Score: 7.1/10 HIGH
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Risk Mitigation & User Action

Customers using the affected FactoryTalk® Activation Manager and/or Studio 5000 Logix Designer® are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-20093	Update to Factory Talk Activation Manager 4.05.03 or later For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center, Standard Views -> Software Latest Versions -> FactoryTalk Activation
CVE-2021-20094	Update to Factory Talk Activation Manager 4.05.03 or later
CVE-2021-41057	Update to Factory Talk Activation Manager 4.06.11 or later

Customers may update Wibu-Systems CodeMeter independently for FactoryTalk Activation Manager or Studio 5000 Logix Designer® by installing Wibu-Systems CodeMeter AG v7.30a. Please refer to this support page to determine if Wibu-Systems CodeMeter AG v7.30a is compatible with the installed versions of Rockwell Automation software.

During installation, Rockwell Automation products bind CodeMeter Runtime to the Local Host adapter and the Network Server and CmWAN Server ports are disabled. Therefore, if the default installation is not modified, Rockwell Automation software is not susceptible to these vulnerabilities over a network connection. Default port 22350 is required if activation licenses are hosted from the machine.

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that Wibu CodeMeter Network Server and CmWAN Server (Default Port# 22350/TCP and 22351/TCP) are blocked from unauthorized sources.

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to UDP Port# 2222 (CIP), TCP/UDP Port# 44818 (CIP), and TCP/UDP Port# 2221 (CIP Security) using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1508 | Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products

Published Date:

November 01, 2022

Last Updated:

August 15, 2025

CVE IDs:

CVE-2020-11914, CVE-2020-11910, CVE-2020-11901, CVE-2020-11907, CVE-2020-11911, CVE-2020-11912, CVE-2020-25066, CVE-2020-11906

Products:

Flex I/O, 1408 PowerMonitor 1000, 1732E ArmorBlock I/O, 1426 PowerMonitor 5000

CVSS Scores (v3.1):

9.8, 9.1, 5.0, 3.7, 3.1

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision Number

8.0

Revision History

Version 8.0 - Ausgust 15, 2025 Updated Kinetix vulnerability discrepancies

Version 7.0 - August 8, 2025 Updated affected products list and user actions

Version 6.0 – August 13, 2024. Updated affected products list and user actions

Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.

Executive Summary

Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization. The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.

Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0

Since this disclosure is part of a large multi-party coordination effort with the CERT/CC

and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Affected Product Family

Affected Versions

CVE-2020-XXXXX

11896

11897

11898

11899

11900

11901

11902

11903

11904

11905

11906

11907

11908

11909

11910

11911

11912

11913

11914

5094-AEN2SFPR/XT
5094-AEN2TR/XT
5094-AENSFPR/XT
5094-AENTR/XT

1.011-4.011

X

5069-AENTR

3.011-4.011

X

1734-AENT/R

4.001- 6.012

X

1738-AENT/R

4.001- 6.012

X

1732E-16CFGM12R
1732E-8X8M12DR
1732E-IB16M12DR
1732E-IB16M12R
1732E-OB16M12DR
1732E-OB16M12R

2.011-2.012

X

1791ES-ID2SSIR

1.001

1799ER-IQ10XOQ10

2.011

X

1794-AENTR/XT

1.011-1.017

X

1732E-12X4M12QCDR
1732E-16CFGM12QCR
1732E-16CFGM12QCWR
1732E-12X4M12P5QCDR
1732E-16CFGM12P5QCR

1.011-1.015

X

1732E-16CFGM12P5QCWR

1.011-2.011

X

PowerMonitor^™ 5000

4.19

X

PowerMonitor 1000

4.10

X

ArmorStart^®ST+ Motor Controller

1.001

X

Kinetix® 5500

All*

X

Kinetix® 5700

All*

X

Kinetix® 5100

1.001

X

PowerFlex 755T
PowerFlex 6000T

All*

X

CIP Safety^™ Encoder

All*

X

Begin Update 3.0:

Affected Product Family	Affected Versions	CVE
1734-AENT/R	4.001- 6.012	CVE-2020-25066
1738-AENT/R	4.001- 6.012	CVE-2020-25066
1794-AENTR 1794-AENTR/XT	1.011- 1.017	CVE-2020-25066
1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R	2.011-2.012	CVE-2020-25066
1799ER-IQ10XOQ10	2.011	CVE-2020-25066
1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR	1.011-1.015	CVE-2020-25066
1732E-16CFGM12P5QCWR	1.011-2.011	CVE-2020-25066
PowerMonitor^™ 5000	4.19	CVE-2020-25066
PowerMonitor 1000	4.10	CVE-2020-25066

End Update 3.0

Begin Update 6.0

Affected Product Family

Affected Versions

CVE

PowerFlex 527

all

CVE-2020-25066

End Update 6.0

Vulnerability Details

Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.

CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0

CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.

CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.

CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.

CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.

CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

CVE

Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912
CVE-2020-11914

For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page.

ICS-CERT has provided additional network mitigations in their public disclosure.

Begin Update 3.0:

CVE	Suggested Actions
CVE-2020-25066	Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header. ICS-CERT has provided additional network mitigations in their public disclosure.

End Update 3.0

Available Fixes:

Update 8.0 August 15, 2025

CVE

Affected Product

Suggested Actions

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1794-AENTR/XT

Apply firmware v2.011 or later

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1738-AENT

1738-AENTR

Apply firmware v6.011 or later

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

1734-AENT/K

1734-AENTR/K

Apply firmware

-v5.019 or later for series B

(Download).

-v7.011 or later for series C

(Download).

CVE-2020-11901
CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

5069-AENTR

Apply firmware v4.012 or later (Download).

CVE-2020-11901

CVE-2020-11906

CVE-2020-11907

CVE-2020-11910

CVE-2020-11911

CVE-2020-11912

5094-AEN2SFPR/XT

5094-AEN2TR/XT

5094-AENSFPR/XT

5094-AENTR/XT

Apply firmware v5.012 or later (Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5700

Apply v13 or later (Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5500

Apply v7.013 or later

(Download).

CVE-2020-11906
CVE-2020-11907
CVE-2020-11910
CVE-2020-11911
CVE-2020-11912

Kinetix 5100

Apply v3.001 or later

(Download).

CVE-2020-11901

CVE-2020-11906

CVE-2020-11907

CVE-2020-11910

CVE-2020-11911

CVE-2020-11912

PowerFlex 755T

PowerFlex 6000T

Apply 6.005 or later for PF755T. Apply R8 or later for PF6000T. (Download)

End Update 8.0 August 15, 2025

Update 7.0 August 7, 2025

CVE

Affected Product Family

Suggested Actions

CVE-2020-25066

1734-AENT/K

1734-AENTR/K

Apply firmware

-v5.019 or later for series B

-v7.011 or later for series C

1738-AENT

1738-AENTR

Apply firmware v6.011 or later

1794-AENTR/XT

Apply firmware v2.011 or later

1732E-16CFGM12R

1732E-8X8M12DR

1732E-IB16M12DR

1732E-IB16M12R

1732E-OB16M12DR

1732E-OB16M12R

Apply firmware 3.011 or later.

1799ER-IQ10XOQ10

Apply firmware 3.011 or later.

1732E-12X4M12QCDR

1732E-16CFGM12QCR

1732E-16CFGM12QCWR

1732E-12X4M12P5QCDR

1732E-16CFGM12P5QCR

Apply firmware 3.011 or later.

1732E-16CFGM12P5QCWR

Apply firmware 3.011 or later.

End Update 7.0

Update Begin 6.0

CVE-2020-25066

PowerFlex 527

Follow suggested actions above

and, when possible, implement

firewall rules to filter out packets

that contain a negative content

length in the HTTP header.

End Update Begin 6.0

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.

Software/PC-based Mitigation Strategies

Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation^® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1607 | PN1607 | New Open SSL Vulnerability

Published Date:

October 31, 2022

Last Updated:

October 31, 2022

Products:

FactoryTalk View

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Executive Summary

Rockwell Automation is aware of and currently monitoring the Open SSL vulnerability that was initially announced on Tuesday, October 25th. On Tuesday, November 1st the full vulnerability details were disclosed, and a patch was made available by the vendor. As part of our commitment to transparency and to protecting our customers’ security, we are evaluating all Rockwell products for this third-party vulnerability. If any products are affected by this vulnerability, we will provide an update to this notification. We look forward to working with our customers to satisfy any concerns they may have.

High

PN1601 | PN1601 | Stratix Products Vulnerable to Multiple Vulnerabilities

Published Date:

October 27, 2022

Last Updated:

October 27, 2022

CVE IDs:

CVE-2020-3209, CVE-2020-3200, CVE-2021-1385, CVE-2020-3516, CVE-2021-1446

Products:

Stratix 5400 Industrial Ethernet Switch, Stratix 5800 Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

6.8, 7.2, 8.8, 6.5, 7.7, 8.6, 4.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 –October 27,2022

Executive Summary

Rockwell Automation is aware of multiple vulnerabilities that impact Cisco IOS® XE and Cisco IOS software contained within Stratix® devices. Exploitation of these vulnerabilities could potentially lead to, but are not limited to, a denial-of-service condition and remote code execution.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

Stratix 5800 Switches
Stratix 5400/5410 Switches

Vulnerability Details

CVE 2020-3229 - Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The administrator GUI lacks correct handing of RBAC, which may allow a malicious user to send modified HTTP requests to the targeted device. If exploited, a read-only remote attacker could potentially execute commands or configuration changes as the administrator user.

CVE 2020-3219 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 8.8/10 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Due to insufficient validation of user input, this vulnerability could allow a malicious user to inject custom input into the web UI. If exploited, a remote attacker could potentially execute arbitrary code with administrative privileges on the operating system.

CVE-2021-1446 - Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial-of-Service Vulnerability
CVSS Base Score 8.6/10 (High)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE software could allow an unauthenticated, remote attacker to cause an affected device to reload.

CVE 2020-3200 - Cisco IOS and IOS XE Software Secure Shell Denial-of-Service Vulnerability
CVSS Base Score 7.7/10 (High)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the Secure Shell (SSH) server code of Cisco IOS software and Cisco IOS XE software could allow an authenticated, remote attacker to cause an affected device to reload.

CVE 2020-3211 - Cisco IOS XE Software Web UI Command Injection Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper input sanitization, this vulnerability could allow a malicious user with administrative privileges to submit specially crafted input in the web UI. If exploited, a remote attacker could potentially execute arbitrary commands with root privileges on the operating system.

CVE 2020-3218 - Cisco IOS XE Software Web UI Remote Code Execution Vulnerability
CVSS Base Score 7.2/10 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Due to improper validation of user supplied input, a malicious user could potentially create a file on the target device and upload a second malicious file to the device. If exploited, a user could execute arbitrary code with root privileges on the underlying Linux shell.

CVE-2020-3209 - Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability
CVSS Base Score 6.8/10 (Medium)
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The root cause of this vulnerability is an improper check on the area code that manages the verification of the digital signatures of the system files during the initial boot process. If exploited, a malicious user could potentially install and boot malicious software image or execute unsigned binaries on the targeted device. A malicious user could exploit this vulnerability by loading unsigned software on the affected device.

CVE-2021-1385 - Cisco IOx Application Environment Path Traversal Vulnerability
CVSS Base Score 6.5/10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

A vulnerability in the Cisco IOx application hosting environment of multiple Cisco platforms could allow an authenticated, remote attacker to conduct directory traversal attacks and read and write files on the underlying operating system or host system.

CVE 2020-3516 – Cisco IOS XE Software Web UI Improper Input Validation Vulnerability
CVSS Base Score 4.3/10 (Medium)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

A vulnerability in the web server authentication of Cisco IOS XE Software could allow an authenticated, remote attacker to crash the web server on the device.

Risk Mitigation & User Action

This vulnerability has been addressed in newer versions of the Stratix 5800 switch. Customers are also directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Vulnerabilities	Suggested Actions
Stratix 5800 switches	CVE-2020-3209	Update to Stratix 5800 v.17.04.01 or later
	CVE 2020-3211
	CVE 2020-3218
	CVE 2020-3229
	CVE 2020-3219
	CVE-2020-3516
	CVE 2021-1385
	CVE-2021-1446
Stratix 5800 switches	CVE-2020-3200	Update to v16.12.01 or later
Stratix 5400/5410 switches	CVE-2020-3200	Update to v15.2(7)E2 or later

Additionally, please see our Knowledgebase article, QA43240 - Recommended Security Guidelines from Rockwell Automation, for additional recommendations to maintain the security posture of your environment.

References

High

PN1605 | FactoryTalk Alarm and Events Server Vulnerable to Denial-Of-Service Attack

Published Date:

October 27, 2022

Last Updated:

October 16, 2024

CVE IDs:

CVE-2022-38744

Products:

FactoryTalk View SE, Studio 5000 View Designer

CVSS Scores (v3.1):

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

Yes

More Details Less Details

Revision History

Version 1.0 – October 27, 2022

Executive Summary

Rockwell Automation received a report from Kaspersky Labs regarding one vulnerability in FactoryTalk® Alarms and Events servers. If successfully exploited, these vulnerabilities may result in a denial-of-service condition causing the server to be unavailable.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided.

Affected Products

FactoryTalk Alarms and Events server – All versions

Vulnerability Details

CVE-2022-38744 FactoryTalk Alarm and Events server vulnerable to denial-of-service attack
An unauthenticated attacker with network access to a victim's FactoryTalk service could open a connection, causing the service to fault and become unavailable. The affected port can be used as a server ping port and use messages structured with XML.

CVSS v3.1 Base Score: 7.5/10[MEDIUM]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to set up the secondary mitigation as described below that addresses the associated risk. Customers are also directed towards general risk mitigation strategies provided in QA43240 - Recommended Security Guidelines from Rockwell Automation , in our Knowledgebase.

Vulnerability	Suggested Actions
CVE-2022-38744	Customers should set up IPsec to mitigate this issue as detailed in QA46277 - Deploying FactoryTalk Software with IPsec

General Security Guidelines

General security guidelines can be found in QA43240 - Recommended Security Guidelines from Rockwell Automation .

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1606 | PN1606 | Factory Talk VantagePoint Software Broken Access Control and Input Validation Vulnerability

Published Date:

October 07, 2022

Last Updated:

October 07, 2022

CVE IDs:

CVE-2022-3158, CVE-2022-38743

Products:

FactoryTalk Linx OPC UA Connector

CVSS Scores:

9.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 06,2022

Executive Summary

Rockwell Automation is aware of a broken access control and input validation vulnerability. If exploited, this vulnerability could potentially lead to a high impact on the confidentiality, a low impact on the integrity, and the availability of FactoryTalk® VantagePoint® software.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk VantagePoint software v. 8.0, 8.10, 8.20, 8.30, 8.31

Vulnerability Details

CVE 2022-38743 FactoryTalk VantagePoint Software Broken Access Control Vulnerability
As a part of our commitment to security, Rockwell Automation performs routine testing and vulnerability scanning to maintain the security posture of products. Due to penetration testing, we discovered a broken access control vulnerability. The FactoryTalk VantagePoint SQLServer account could allow a malicious user with read-only privileges to execute SQL statements in the back-end database.

CVE 2022-38743
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE 2022-3158 FactoryTalk VantagePoint Software Input Validation Vulnerability
Additionally, the device lacks input validation when users enter SQL statements to retrieve information from the back-end database. This vulnerability could potentially allow a user with basic user privileges to perform remote code execution on the server.

CVE 2022-3158
CVSS Base Score: 9.9/10 (Critical)
CVSS:3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are encouraged to apply the following configurable risk mitigations to help reduce the risk associated with this vulnerability. We also recommend customers combine risk mitigations with security best practices to employ a defense in depth approach.

Mitigation A	Update to FactoryTalk VantagePoint V8.00/8.10/8.20/8.30/8.31 or later. BF28452 - Patch: Multiple issues, FactoryTalk VantagePoint 8.00/8.10/8.20/8.30/8.31
Mitigation B	If customers are unable to update the firmware, we suggest customers configure the database to follow the least privilege principle.

Additional Links

High

PN1595 | PN1595 | OpenSSL Infinite Loop in Rockwell Automation Products

Published Date:

September 23, 2022

Last Updated:

January 28, 2025

CVE IDs:

CVE-2022-0778

CVSS Scores:

7.5, 4.9

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Version 1.2 - 28-Jan-2025, Updated Impacted Products (Stratix 4300)

Version 1.1 – 8-Sept-2022, Updated Suggested Actions

Executive Summary

Rockwell Automation received a report on a new vulnerability within OpenSSL, which is used within some of our products. This vulnerability can lead to a denial-of-service within the affected products if successfully launched by an attacker.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

ThinManager® software (Versions 12.0.0 - 12.0.2, 12.1.0 - 12.1.3)
FactoryTalk® Linx Gateway (Version 6.30 and earlier)
Factory Talk Linx OPC UA Connector (Version 6.30 and earlier)
Factory Talk View (Version 11.00 - Version 13.00)
Stratix 4300 (Versions 4.0.1.117 and earlier)

Vulnerability Details

CVE-2022-0778 Open SSL allows for an infinite loop

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2022-0778 Open SSL allows for an infinite loop (*This CVE score only applies to ThinManager)

This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a denial-of-service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

Administrator privileges are needed for this attack to be successful on ThinManager Software.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Suggested Actions
ThinManager	This issue has been patched. Customers should follow the patch instructions as follows: If using v12.0.0-12.0.2 >> Download v12.0.3 If using v12.1.0-12.1.3 >> Download v12.1.4
Factory Talk Linx Gateway	Customers should view BF28103 - Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk Linx OPC UA Connector	Customers should view BF28103 - Everyone Patch: OpenSSL Vulnerability, OPC UA Connector 6.20, 6.21, 6.30 to install the update that mitigates the issue.
Factory Talk View	Customers should view BF28297 - Patch: Open SSL Vulnerability, FactoryTalk View 11.0, 12.0, 13.0 to install the update that mitigates the issue.
Stratix 4300	The issue has been patched. Customers should upgrade to v4.0.2.101 Download Center

If an upgrade is not possible or available, customers should consider implementing the following mitigations:

Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

High

PN1604 | PN1604 | ThinManager Software Vulnerable to Arbitrary Code Execution and Denial-Of-Service Attack

Published Date:

September 22, 2022

Last Updated:

September 22, 2022

CVE IDs:

CVE-2022-38742

Products:

ThinManager

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 22, 2022 – Initial Version

Executive Summary

A vulnerability was discovered by rgod working with Trend Micro’s Zero Day Initiative and reported to Rockwell Automation. The vulnerability was discovered in the ThinManager® ThinServer™ software. Successful exploitation of this vulnerability could allow an attacker to make the software unresponsive or execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including recommended countermeasures, are listed below.

Affected Products

ThinManager ThinServer software	Versions
	11.0.0 – 11.0.4
	11.1.0 – 11.1.4
	11.2.0 – 11.2.5
	12.0.0 – 12.0.2
	12.1.0 – 12.1.3
	13.0.0

Vulnerability Details

CVE 2022-38742 ThinManager ThinServer Heap-Based Overflow

CVSS Base Score: 8.1 /10 (High)
CVSS 3.1 Vector String: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

In affected versions, an attacker can send a specifically crafted TFTP or HTTPS request causing a heap-based buffer overflow that crashes the ThinServer process. This potentially exposes the server to arbitrary remote code execution.

Risk Mitigation & User Action

Customers are directed towards the risk mitigations provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE-2022-38742	Versions Affected	Suggested Actions
	11.0.0 – 11.0.4	Update to v11.00.05
	11.1.0 – 11.1.4	Update to v11.01.05
	11.2.0 – 11.2.5	Update to v11.02.06
	12.0.0 – 12.0.2	Update to v12.00.03
	12.1.0 – 12.1.3	Update to v12.01.04
	13.0.0	Update to v13.00.01

Additional Mitigations

If users are unable to update to the patched version, they should put the following mitigation in place:

Block network access to the ThinManager TFTP and HTTPS ports from endpoints other than ThinManager managed thin clients

For additional security best practices, please see our Knowledgebase article,QA43240 - Security Best Practices, to maintain the security posture of your environment.

References

CVE-2022-38742

Critical

PN1603 | PN1603 | KEPServer Enterprise Vulnerable to Remote Code Execution and Denial-of-Service Attack

Published Date:

September 01, 2022

Last Updated:

September 01, 2022

CVE IDs:

CVE-2022-2825, CVE-2022-2848

Products:

Kepserver Enterprise

CVSS Scores:

9.1, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – September 1, 2022 – Initial Version

Executive Summary

Rockwell Automation was notified by ICS-CERT of vulnerabilities discovered in Kepware® KEPServerEX, which affects the Rockwell Automation KEPServer Enterprise. Successful exploitation of these vulnerabilities could allow an attacker to crash the device or remotely execute arbitrary code.

Customers using the products in scope are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details are provided relating to the discovered vulnerabilities, including recommended countermeasures.

Affected Products

KEPServer Enterprise – All versions prior to v13.01.00

Vulnerability Details

CVE 2022-2848 KEPServer Enterprise Heap-Based Overflow
CVSS Base Score: 9.1 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and
leak data.

CVE 2022-2825 KEPServer Enterprise Stack-Based Overflow
CVSS Base Score: 9.8 /10 (Critical)
CVSS 3.1 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and remotely execute code.

Risk Mitigation & User Action

Vulnerability	Suggested Actions
CVE-2022-2848	Customers should update to version 13.01.00 which mitigates these issues
CVE-2022-2825

If a customer is unable to update to the mitigated version, it is suggested that Security Best Practices are followed as outlined in our Knowledgebase article, QA43240 - Security Best Practices.

General Security Guidelines

References

CVE-2022-2848
CVE-2022-2825
ICSA-22-242-10 Advisory

Medium

PN1598 | PN1598 | CVE 2022-1096 Chromium Type Confusion Vulnerability Impact Multiple Products

Published Date:

August 26, 2022

Last Updated:

August 26, 2022

CVE IDs:

CVE-2022-1096

Products:

Using CCW with PanelView Component Terminals, FactoryTalk Linx Gateway, FactoryTalk View SE, Installing CCW, FactoryTalk Linx / RSLinx Enterprise, PowerFlex 6000, Using CCW with Micro800 Controllers, Using CCW with Component Class Drives

CVSS Scores:

4.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Reference

CVE 2022-1096

Revision History

Revision Number

1.1

Revision History

Version 1.0 – July 12, 2022
Version 1.1 – August 26, 2022 Updated FT View Site Edition Mitigation Instructions

Executive Summary

Rockwell Automation is aware of multiple products that use the Chromium web browser and are affected by CVE 2022-1096, which is a zero day type confusion vulnerability. Exploitation of this vulnerability could potentially lead to a low impact to the availability of the targeted device. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Customers using the products in scope are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerabilities including recommended countermeasures, are provided.

Affected Products

Product in Scope	Vulnerable Component
FactoryTalk^® Linx Enterprise software v6.20, 6.21, and 6.30	V6.21	CefSharp v73.1.130 (EIPCACT feature)
	V6.30	CefSharp v91.1.230 (EIPCACT feature)
	v6.20	CefSharp v73.1.130 (Device Config feature)
	v6.21	CefSharp v73.1.130 (Device Config feature
	v6.30	CefSharp v73.1.130 (Device Config feature
Enhanced HIM (eHIM) for PowerFlex^® 6000T drives v1.001	Electron v4.2.12
Connected Components Workbench^™ software v11, 12,13 & 20 Note: Drives Trending 1.00.00 and 2.00.00 uses Connected Components Workbench	Cefsharp V81.3.100
FactoryTalk Link Gateway software v6.21 and v6.30	v6.21	CefSharp v73.1.130
FactoryTalk Link Gateway software v6.21 and v6.30	v6.30	CefSharp v91.1.230
FactoryTalk View Site Edition software v.13.0	WebView2 v96.0.1054.43

Vulnerability Details

Rockwell Automation has been made aware of a third-party vulnerability that is present in multiple vendor components, which our products use. Due to the way Rockwell Automation uses the Chromium web browser, exploitation of this vulnerability may cause the vulnerable products to become unavailable temporarily. As a result, we adjusted the CVSS Score to reflect how this vulnerability affects our products.

CVE 2022-1096 Chromium Web Browser Type Confusion Vulnerability
CVSS Base Score: 4.0 /10 (Medium)
CVSS 3.1 Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available.

For customers using the FactoryTalk View Site Edition follow the recommended actions to address the vulnerability:

Do not use the FactoryTalk View SE web browser control if it is not required for the intended use of the product.
Customers utilizing the SE Web Browser can manually download and apply the newer version of WebView2 by using the following directions:
- Replace the Microsoft® msedgewebview2.exe file that is saved in the C:Program Files (x86)Rockwell SoftwareRSView EnterpriseMicrosoft.WebView2.FixedVersionRuntime by copying and pasting the new version of the software into the folder.
- DO NOT remove the contents of the folder before pasting the new file.

For customers using the Enhanced HIM (eHIM) for Power Flex 6000T drives follow the recommended actions to address the vulnerability:

Update the Microsoft Edge browser to Version 99.0.1150 or later. Additionally, apply the update for eHIM when it becomes available to mitigate the vulnerability.

If applying the mitigations, noted above, is not possible please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

Critical

PN1550 | PN1550 | CVE-2021-22681: Authentication Bypass Vulnerability Found in Logix Controllers

Published Date:

July 20, 2022

Last Updated:

July 20, 2022

CVE IDs:

CVE-2021-22681

Products:

SoftLogix5800, 1794 FlexLogix, 1756 ControlLogix, 1769 CompactLogix Controllers, 1769 Compact GuardLogix 5370, 1768 CompactLogix Controllers, 5069 Compact GuardLogix 5380, RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.4

Revision History

Version 1.0 - February 25, 2021. Initial Release.
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations

Executive Summary

Researchers found that our Studio 5000 Logix Designer^® software may allow a key to be discovered. This key is used to verify Logix controllers are communicating with Rockwell Automation design software. If successfully exploited, this vulnerability could allow an unauthorized application to connect with Logix controllers. To leverage this vulnerability, an unauthorized user would require network access to the controller.

FactoryTalk^® Security provides user authentication and authorization for a particular set of actions within RSLogix^® 5000 and Studio 5000^®. Once the application is authorized to open and connect to the controller within RSLogix 5000 or Studio 5000 this verification mechanism, referenced above, is leveraged to establish the connection to the controller. For customers concerned with user access control and who have deployed FactoryTalk Security, this vulnerability may allow an attacker to bypass the protections provided by FactoryTalk Security.

This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.

Affected Products

Software:
RSLogix 5000 software v16-20, Studio 5000 Logix Designer v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk Security, part of the FactoryTalk Services Platform, if configured and deployed v2.10 and later.

Controllers:
1768 CompactLogix™
1769 CompactLogix
CompactLogix 5370
CompactLogix 5380
CompactLogix 5480
ControlLogix 5550
ControlLogix^® 5560
ControlLogix 5570
ControlLogix 5580
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix^® 5370
Compact GuardLogix 5380
Guardlogix 5560
GuardLogix 5570
GuardLogix 5580
SoftLogix™ 5800

Vulnerability Details

CVE-2021-22681: Private Key Extraction
Studio 5000 Logix Designer uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

For details and further mitigation options, please see the table below.

Product Family and Version	Risk Mitigation and Recommended User Actions
ControlLogix 5580 v32 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the followings mitigations are recommended: Deploy CIP Security for Logix Designer application connections through the front port. CIP Security prevents unauthorized connections when deployed properly. If not using the front port, use a 1756-EN4TR ControlLogix EtherNet/IP™ module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which prevents unauthorized connections when properly deployed.
ControlLogix 5580 v31	Put the controller mode switch to “Run” mode.I If the above cannot be deployed, the following mitigations are recommended: Apply v32 or later and follow mitigations actions outlined above. If unable to apply a newer version, use a 1756-EN4TR ControlLogix EtherNet/IP module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
ControlLogix 5570 v31 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Use a 1756-EN4TR ControlLogix EtherNet/IP Module and deploy CIP Security. The 1756-EN4TR supports CIP Security, which helps prevent unauthorized connections when properly deployed.
CompactLogix 5380 v28 or later.	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
CompactLogix 5370 v20 or later	Put the controller mode switch to “Run” mode. If the above cannot be deployed, the following mitigations are recommended: Install the 1783-CSP CIP Security Proxy to provide secure connection between the engineering workstation and the controller. For more information, please see the 1783-CSP CIP Proxy User Manual (link).
ControlLogix 5580 v28-v30 ControlLogix 5570 v18 or later ControlLogix 5560 v16 or later ControlLogix 5550 v16 GuardLogix 5580 v31 or later GuardLogix 5570 v20 or later GuardLogix 5560 v16 or later 1768 CompactLogix v16 or later 1769 CompactLogix v16 or later CompactLogix 5480 v32 or later Compact GuardLogix 5370 v28 or later Compact GuardLogix 5380 v31 or later FlexLogix 1794-L34 v16 DriveLogix 5370 v16 or later	Put the controller mode switch to “Run” mode.
SoftLogix 5800	No additional mitigation available. Follow the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide.

Detection Strategies:
In addition, customers can continue to use the methods below to detect changes to configuration or application files:

Monitor controller change log for any unexpected modifications or anomalous activity.
If using v17 or later, utilize the Controller Log feature.
If using v20 or later, utilize Change Detection in the Logix Designer Application.
If available, use the functionality in FactoryTalk^® AssetCentre software to detect changes.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations

Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.

CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.

As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix based applications.

Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.

*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1600 | PN1600 | ISaGRAF Workbench Vulnerable to Multiple Phishing-Style Attacks

Published Date:

July 20, 2022

Last Updated:

July 20, 2022

CVE IDs:

CVE-2022-2463, CVE-2022-2465, CVE-2022-2464

Products:

AADvance, ISaGRAF, Trusted

CVSS Scores:

6.1, 7.7, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 19, 2022
Version 1.1 – July 20, 2022 – Added AAdvance Trusted SIS Workstation to products affected

Executive Summary

Rockwell Automation received a report from Claroty regarding three vulnerabilities in ISaGRAF® Workbench. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction such as a phishing attack for successful exploitation.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Workbench v6.0 though v6.6.9
AADvance-Trusted Safety Instrumented System Workstation v1.1 and below

Vulnerability Details

CVE-2022—2465: Deserialization of untrusted data may result in arbitrary code execution

ISaGRAF Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in ISaGRAF Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2464: Directory traversal vulnerability may lead to privilege escalation

The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that, when opened by ISaGRAF Workbench, can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the ISaGRAF Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2022-2463: Improper input sanitization may lead to privilege escalation

ISaGRAF does not sanitize paths specified within the .7z exchange file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .7z exchange file that when opened by ISaGRAF Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Product	Suggested Actions
CVE-2022-2463 CVE-2022-2464 CVE-2022-2465	ISaGRAF Workbench	Upgrade to ISaGRAF Workbench v6.6.10 or later.
CVE-2022-2463 CVE-2022-2464	AAdvance-Trusted SIS Workstation	Upgrade to AADvance-Trusted SIS Workstation 1.2 or later
CVE-2022-2465	AAdvance-Trusted SIS Workstation	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If immediate upgrade is not possible, customers should consider implementing the following mitigations:

Run ISaGRAF Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .7z exchange files with ISaGRAF Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

If applying the mitigations noted above, is not possible please see our Knowledgebase article, QA43240 – Security Best Practices, for additional recommendations to maintain the security posture of your environment.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1599 | PN1599 | FactoryTalk Analytics DataView Vulnerable to Spring4Shell Vulnerability (CVE 2022-22965)

Published Date:

July 14, 2022

Last Updated:

July 14, 2022

Products:

FactoryTalk Analytics DataView

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 14, 2022

Executive Summary

Rockwell Automation was made aware of a zero-day vulnerability that impacts the Spring Core Framework. If exploited, this vulnerability could potentially have a high impact on the confidentiality, integrity, and availability of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the following mitigations and apply them where appropriate. Additional details relating to the discovered vulnerability, including products in scope, impact, and recommended countermeasures are provided. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

FactoryTalk® Analytics™ DataView v.3.03.01 and below

Vulnerability Details

Rockwell Automation was made aware of a third-party remote code execution vulnerability that exists in the Spring Core Framework. This vulnerability could potentially allow an attacker to send a specially crafted request to a vulnerable server. To exploit this vulnerability, the target application must run on a Tomcat as a WAR deployment. However, due to the nature of the vulnerability, other ways to exploit it may exist.

CVSS Base Score: 9.8 /10 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Rockwell Automation is in the process of testing and validating the patch and will update this advisory for each product as updated firmware becomes available. Please see our Knowledgebase article, QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

NVD - cve-2022-22965 (nist.gov)

Medium

PN1597 | PN1597 | MicroLogix 1400/1100 Vulnerable to Clickjacking Vulnerability

Published Date:

July 07, 2022

Last Updated:

July 07, 2022

CVE IDs:

CVE-2022-2179

Products:

1763 MicroLogix 1100, 1766 MicroLogix 1400

CVSS Scores:

6.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – July 7, 2022

Executive Summary

Rockwell Automation received a vulnerability report from Pawan V. Sable and Pranita Sadgir, and Dr. Faruk Kazi of COE-CNDS from Veermata Jijabai Technological Institute (VJTI) India. If exploited, this vulnerability could potentially have a high impact on the confidentiality of the targeted device.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them where appropriate. Additional details relating to the discovered vulnerability, including the products in scope, impact, and recommended countermeasures, are provided herein. We have not received any notice of this vulnerability being exploited in Rockwell Automation products.

Affected Products

MicroLogix™ 1400 v. 21.007 and below
MicroLogix™ 1100 all versions

Vulnerability Details

Rockwell Automation was made aware that the X-Frame-Options header is not configured in the HTTP response and allows potential clickjacking attacks. Exploitation of this vulnerability could potentially allow a malicious user to trick a legitimate user into using an untrusted website. If exploited, this vulnerability could lead to a loss of sensitive information, such as authentication credentials.

(CVE 2022 - 2179) MicroLogix Controllers Vulnerable to Clickjacking Attack
CVSS Base Score: 6.5 /10 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerability. Additionally, we encourage customers to combine the risk mitigations with security best practices, also provided below, to deploy a defense-in-depth strategy.

Disable the web server, if possible (This component is an optional feature and disabling it will not disrupt the intended use of the device)
Configure firewalls to disallow network communication through HTTP/Port 80

If applying the mitigations noted above are not possible, please see our Knowledgebase article QA43240 - Security Best Practices, for additional recommendations to maintain the security posture of your environment.

References

CVE-2022-2179

Medium

PN1596 | PN1596 | Logix Controllers Vulnerable to Denial-of-Service Attack

Published Date:

June 17, 2022

Last Updated:

June 17, 2022

CVE IDs:

CVE-2022-1797

Products:

1769 Compact GuardLogix 5370, 1756/5069 GuardLogix, 1768/1769/5069 CompactLogix, 1756 ControlLogix

CVSS Scores:

6.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.4

Revision History

Version 1.0 – May 24, 2022
Version 1.1 – June 3, 2022 Updated suggested actions and removed versions for clarity
Version 1.2 – June 17, 2022 Clarified vulnerability details and updated risk mitigation section
Version 1.3 – July 8th, 2022 Updated risk mitigation section
Version 1.4 – July 17th, 2023 Updated risk mitigation section

Executive Summary

Rockwell Automation was made aware of a vulnerability within our Logix controllers. This vulnerability may allow an unauthorized user to send malicious messages to the targeted device, which could potentially, lead to a denial-of-service.

Customers using affected versions of this software are encouraged to evaluate the following mitigations provided and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided in this security advisory.

Affected Products

CompactLogix™ 5380 controllers
Compact GuardLogix® 5380 controllers
CompactLogix 5480 controllers
ControlLogix® 5580 controllers
GuardLogix 5580 controllers
CompactLogix 5370 controllers
Compact GuardLogix 5370 controllers
ControlLogix 5570 controllers
GuardLogix 5570 controllers

Vulnerability Details

CVE-2022-1797 Rockwell Automation Logix controllers are vulnerable to denial-of-service attack
A vulnerability that exists in the Logix controller may allow an attacker to modify a message instruction control structure that could cause a denial-of-service condition due to a major nonrecoverable fault. If the controller experiences a major nonrecoverable fault, a user will have to clear the fault and redownload the user project file to bring the device back online and continue normal operations.

CVSS v3.1 Base Score: 6.8/10[MEDIUM]
 CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers can apply either mitigation A or B to address this vulnerability. Customers are directed towards the risk mitigation provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Version Affected	Suggested Actions
CompactLogix 5380	Versions prior to 32.016	Mitigation A: Customers should upgrade to version 32.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read-only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5380
CompactLogix 5480
ControlLogix 5580
GuardLogix 5580

CompactLogix 5370	Versions prior to 33.016	Mitigation A: Customers should upgrade to version 33.016 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.
Compact GuardLogix 5370
ControlLogix 5570
GuardLogix 5570

ControlLogix 5570 Redundancy	Versions prior to 33.053	Mitigation A: Customers should upgrade to version 33.053 firmware or later to mitigate this issue. Mitigation B: Set the message control structures access to read only. Instructions are in Chapter 4 of Logix 5000™ Controllers I/O and Tag Data Programming Manual, publication 1756-PM004.

If applying mitigation A or B is not possible, customers should consider implementing the following solutions:

Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with products from Rockwell Automation is available at Knowledgebase article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

Critical

PN1585 | PN1585 | Logix Controllers May Allow for Unauthorized Code Injection

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

CVE IDs:

CVE-2021-22681, CVE-2022-1161

Products:

5069 Compact GuardLogix 5380, 1769 CompactLogix Controllers, 1769 CompactLogix 5370, 1756/5069 GuardLogix, 1768 CompactLogix Controllers, ControlLogix Hardware

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.2 – May 06, 2022 Updated vulnerability details and risk mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Logix Controllers to Rockwell Automation. Claroty found that some Logix Controllers may allow an attacker, with the ability to modify user programs, to download a user program containing malicious code that would be undetectable to the user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here.

An attacker could gain the ability to modify user programs by leveraging a previously disclosed vulnerability (“Authentication Bypass Vulnerability Found in Logix Controllers”) whereby a private key was discovered potentially allowing Logix Controllers communicating over the unauthenticated version of EtherNet/IP™ to accept communication that do not originate from Studio 5000 Logix Designer ® software.

Affected Products

1768 CompactLogix™ controllers
1769 CompactLogix controllers
CompactLogix 5370 controllers
CompactLogix 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix® 5370 controllers
Compact GuardLogix 5380 controllers

ControlLogix® 5550 controllers
ControlLogix 5560 controllers
ControlLogix 5570 controllers
ControlLogix 5580 controllers
GuardLogix 5560 controllers
GuardLogix 5570 controllers
GuardLogix 5580 controllers

FlexLogix™ 1794-L34 controllers
DriveLogix™5730 controllers
SoftLogix™ 5800 controllers

Vulnerability Details

[CVE-2022-1161]: Modification of PLC Program Code

An attacker with the ability to modify a user program may change user program code on some ControlLogix, CompactLogix, and GuardLogix Control systems. Studio 5000 Logix Designer writes user-readable program code to a separate location than the executed compiled code allowing an attacker to change one and not the other. Additionally, devices communicating over the unauthenticated version of EtherNet/IP may be vulnerable to attacks from custom clients exploiting CVE-2021-22681

CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The following types of code are affected by this vulnerability – indicated by an X:

Product	Structured Text (ST)	Ladder Diagrams (LD)	Function Block Diagram (FBD)	Sequential Function Chart (SFC)	Add-On Instructions (AOI)
1768 CompactLogix	X	Not affected	X	X	X
1769 CompactLogix	X	Not affected	X	X	X
CompactLogix 5370	X	Not affected	X	X	X
CompactLogix 5380	X	X	X	X	X
CompactLogix 5480	X	X	X	X	X
Compact GuardLogix 5370	X	Not affected	X	X	X
Compact GuardLogix 5380	X	X	X	X	X
ControlLogix 5550	X	Not affected	X	X	X
ControlLogix 5560	X	Not affected	X	X	X
ControlLogix 5570	X	Not affected	X	X	X
ControlLogix 5580	X	X	X	X	X
GuardLogix 5560	X	Not affected	X	X	X
GuardLogix 5570	X	Not affected	X	X	X
GuardLogix 5580	X	X	X	X	X
FlexLogix 1794-L34	X	Not affected	X	X	X
DriveLogix 5730	X	Not affected	X	X	X
SoftLogix 5800	X	Not affected	X	X	X

Risk Mitigation & User Action

We recommend customers using the affected products, below, to apply both Risk Mitigations A and B, if possible. Additionally, customers are advised to implement Risk Mitigation B as a long-term mitigation action and to overall increase the security posture of their environment. Furthermore, we encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family

Risk Mitigation and Recommended User Actions

ControlLogix 5570
ControlLogix 5580
GuardLogix 5570
GuardLogix 5580
CompactLogix 5380
Compact GuardLogix 5380

Risk Mitigation A:

Recompile and download user program code (i.e., acd) using an uncompromised workstation
Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, use the following mitigation:

Recompile and download user program code (i.e., acd) using an uncompromised workstation
Monitor controller change log for any unexpected modifications or anomalous activity
Utilize the Controller Log feature
Utilize Change Detection in the Logix Designer Application
If available, use the functionality in FactoryTalk AssetCentre software to detect changes

Risk Mitigation B:
Implement CIP Security™ to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include:

ControlLogix 5580 processors using on-board EtherNet/IP port
GuardLogix 5580 processors using on-board EtherNet/IP port
ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR’s
ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP™ module
If using a 1756-EN2T, then replace with a 1756-EN4TR
CompactLogix 5380 using on-board EtherNet/IP port
Compact GuardLogix 5380 using on-board EtherNet/IP port

We recommend customers using the affected products, below, to apply Risk Mitigation A. We encourage customers to apply general security guidelines in addition to the risk mitigations for a comprehensive defense in depth strategy.

Product Family

Risk Mitigation and Recommended User Actions

1768 CompactLogix
1769 CompactLogix
CompactLogix 5370
CompactLogix 5480
ControlLogix 5560
GuardLogix5560

Risk Mitigation A:

Recompile and download user program code (i.e., acd)
Put controller mode switch into Run position

If keeping controller mode switch in Run is impractical, then use the following mitigation:

Recompile and download user program code (i.e., acd)
Monitor controller change log for any unexpected modifications or anomalous activity
Use the Controller Log feature
Use Change Detection in the Logix Designer application
If available, use the functionality in FactoryTalk AssetCenter to detect changes

In addition to applying risk mitigations, customers should also utilize the detection tools, listed below, to identify if this vulnerability has been exploited in their environment.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:

On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer Compare Tool User Manual, pages 19-20.
Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).

Notes:

The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies
Do not click on or open URL links from untrusted sources.Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations (Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see Rockwell Automation Publication System Security Design Guidelines Reference Manual.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

High

PN1586 | PN1586 | Logix Designer Application May Allow Unauthorized Controller Code Injection

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

CVE IDs:

CVE-2022-1159

Products:

RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

7.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – March 31, 2022
Version 1.1 – May 06, 2022 – Updated vulnerability details and mitigations

Detailed Information

Claroty, a cybersecurity technology vendor and partner of Rockwell Automation, disclosed a vulnerability in Studio 5000 Logix Designer® software which impacts some Logix controllers. Claroty found that the Logix Designer application could allow an unauthorized third-party to inject controller code using a compromised workstation where the third party has gained administrative access. This could allow a third party to download the modified program to the controller and potentially allow for arbitrary code execution on the controller in a way that would potentially be undetectable to a user. This vulnerability was found by Sharon Brizinov and Tal Keren of Claroty, and they have provided a blog post with more details located here .

Affected Products

Studio 5000 Logix Designer application v28 and later, and the following Logix controllers running these versions:

ControlLogix® 5580 controllers
GuardLogix® 5580 controllers
CompactLogix™ 5380 controllers
CompactLogix 5480 controllers
Compact GuardLogix 5380 controllers

Vulnerability Details

[CVE-2022-1159]: Modification of PLC Program Code
Studio 5000 Logix Designer compiles the user program on the workstation. This compilation process prepares the Logix Designer application user program for download to a Logix controller. To successfully exploit this vulnerability, an attacker must first gain administrator access to the workstation running Studio 5000 Logix Designer. The attacker can then intercept the compilation process and inject code into the user program. The user may potentially be unaware that this modification has taken place.

This exploit could also allow modification of source key protected content and license source protected content. Changes to the content may not be noticeable to the user. Additionally, exploitation could affect safety tasks if unlocked and signature unprotected at the time of the attack. A locked and signature protected safety task would not be impacted.

CVSS v3.1 Base Score: 7.7/HIGH
CVSS Vector: AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

There is no long-term mitigation for this vulnerability. Customers using the affected hardware and software are directed to apply compensating controls and utilize detection capabilities, which are both listed below. Additionally, we recommend implementing general security guidelines for a comprehensive defense in depth strategy.

Compensating Controls:

Apply the Windows Hardening Guidance found in QA63609 - Recommended guidelines for hardening software, computer, device, and network systems and infrastructure (CIS Benchmarks) to help minimize risk of the vulnerability.
Secure their workstations by referencing Rockwell Automation Configure System Security Features publication SECURE-UM001A. This publication also describes how to detect attempts to exploit this vulnerability on a compromised workstation using Windows® security audit features – see page 51.

Exploitation Detection Method:

The detection method can be used to determine if the user program residing in the controller is identical to what was downloaded. After upgrading to V34, this user program verification can be done via two methods:

On-demand using the online feature of the Logix Designer Compare Tool V9 or later. Details on how to utilize user program verification to discover if this vulnerability has been exploited can be found at Logix Designer application Compare Tool User Manual publication LDCT-UM001C, pages 19-20.
Schedule user program verification on FactoryTalk® AssetCentre V12 or later (Available Fall 2022).

Notes:

The user program comparison must be performed using the online compare tool feature from an uncompromised workstation.
Customers are directed to upgrade to Studio 5000® V34 software, or later, and the corresponding firmware versions for the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380. Review your controllers’ user manual to determine the required controller firmware version.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see the Rockwell Automation publication number SECURE-RM001 “System Security Design Guidelines Reference Manual”.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).
Please direct all media inquiries to Marci Pelzer (MPelzer@rockwellautomation.com).

Additional Links

PN1594 | PN1594 | APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)

Published Date:

May 06, 2022

Last Updated:

May 06, 2022

Products:

FactoryTalk Linx Gateway

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – May 6, 2022

Executive Summary

On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.

We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.

Affected Products

We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.

Products that use OPC UA servers:

FactoryTalk® Linx Gateway
- Editions include embedded, basic, standard, extended distributed, professional
- Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:

Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
- Chapter 4 - UA Server Endpoints - Endpoint Properties
- Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
- Set system policies - Account Policy Settings
- Set audit policies - Monitor security-related events

General Security Guidelines

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

Additional Links

PN1592 | PN1592 | Vulnerable Third-Party Components in FactoryTalk® ProductionCentre

Published Date:

May 04, 2022

Last Updated:

May 04, 2022

Products:

FactoryTalk ProductionCentre

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – May 4, 2022

Executive Summary

Rockwell Automation discovered multiple vulnerabilities affecting third-party software utilized by our FactoryTalk® ProductionCentre (FTPC) products. If exploited, these vulnerabilities could have various effects, including but not limited to, remote code execution, information disclosure, and denial of service on FTPC products.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including products in scope and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® ProductionCentre v10.04 and earlier

Vulnerability Details

As part of our commitment to security, Rockwell performs routine testing and vulnerability scanning to maintain the security posture of products. Due to open-source testing, we were made aware that third-party components utilized within our FTPC products contain vulnerabilities that range from low to high. The third-party components are listed below.

Apache ActiveMQ Version 5.15.0	Dom4J Version 1.61
Apache Common BeanUtils Version 1.9.0	Hibernate ORM Version 3.3.2
Apache CXF Version 3.1.10	Jackson Databind Version 2.1.4
Apache Http Client Version 4.5.2	JasperReports Library Version 6.2.0
Apache Santuario (Java) 2.0.8	Java Platform Standard Edition Version 8u181
Apache Xalan Version (Java) 2.7.1	JBoss Remoting Version 4.0.22.Final
Apache Xerces2J Version 2.11.0.SP5	JGroups Version 2.12.2 Final
Bouncy Castle Version 1.36, 1.44, 1.55	Spring Framework Versions 2.5.5, 4.3.8-4.3.9
Cryptacular Version 1.51	Undertow Core Versions 1.0.10.Final
Codehaus XFire Version 0.9.5.2	Velocity.apache.org Version 1.7

Risk Mitigation & User Action

Customers using the affected software are encouraged to implement the risk mitigations below to minimize the risk of vulnerabilities. We encourage customers to combine the risk mitigations with security best practices to deploy a defense-in-depth strategy.

Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
Deploy network segmentation, when possible, per our standard deployment recommendations.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable the assessment, design, implementation, and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Additional Links

If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com

High

PN1589 | PN1589 | Multiple Products Vulnerable to Deserialization of Data

Published Date:

April 04, 2022

Last Updated:

April 04, 2022

CVE IDs:

CVE-2022-1118

Products:

Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – April 4, 2022

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative about vulnerabilities in Connected Components Workbench™, ISaGRAF® Workbench and Safety Instrumented Systems Workbench for Trusted® controllers. If successfully exploited, these vulnerabilities may result in remote code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v13.00.00 and below.
ISaGRAF Workbench v6.0-v6.6.9
Safety Instrumented System Workstation v1.2 and below (for Trusted Controllers)

Vulnerability Details

CVE-2022-1118- Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects that can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Products Affected	Suggested Actions
Connected Components Workbench Versions 13.00 and below	Customers should update to version 20.00, which mitigates this vulnerability.
ISaGRAF Workbench Versions 6.0-6.6.9	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.
SIS Workstation Versions 1.2 and below (for Trusted Controllers)	It is recommended that customers follow the security guidelines below until an updated release is available to mitigate this issue.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .ccwsln files with Connected Component Workbench, ISaGRAF, or SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or other similar allow list applications can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com)

Additional Links

Critical

PN1579 | Log4Shell Vulnerability Notice

Published Date:

January 21, 2022

Last Updated:

December 01, 2024

CVE IDs:

CVE-2021-4104, CVE-2021-45046, CVE-2019-17571, CVE-2021-44228

Products:

Production Management

CVSS Scores (v3.1):

10, 3.7, 8.1, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

2.2

Revision History

Version 1.0 – 12-Dec-2021. Initial Version

Version 1.1 – 15-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions

Version 1.2 – 17-Dec-2021. Updated FTA DataView Versions affected

Version 2.0 – 19-Dec-2021. Updated Affected Products and Risk Mitigation & User Actions, etc.

Version 2.1 – January 7, 2022. Updated FactoryTalk® Analytics™ DataView, Data Flow ML, Warehouse Management Patch Guidance and User Actions, etc.
Version 2.2 – January 21, 2022 Updated DataView Mitigation Actions, etc

Executive Summary

On December 9, 2021, a vulnerability was announced named “Log4Shell” by researchers. This vulnerability allows for remote code execution by exploiting the Java Logging Library log4j2.

Rockwell Automation is aware of this vulnerability and of how it could, if exploited, potentially impact our customers’ environments. Rockwell Automation has completed process of evaluation on how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate this software.

Affected Products

Rockwell Automation has investigated its product portfolio to identify which of its products may be directly affected by the "Log4Shell" vulnerability. Rockwell Automation will continue to monitor this situation and will update this advisory if necessary. Our investigation has indicated that the following Rockwell Automation products are affected.

Product Affected	Versions Affected
Plex (A Rockwell Automation Company) Industrial Internet of Things	All Versions < 2.17
Fiix (A Rockwell Automation Company) CMMS™ core V5	This product is cloud-based and has been updated for all customers.
Warehouse Management	4.01.00, 4.02.00, 4.02.01, 4.02.02
EIG (Discontinued)	3.03.00
Industrial Data Center	9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS – Gen 1, Gen 2, Gen 3, Gen 3.5
VersaVirtual™ Application	9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN – Series A
FactoryTalk® Analytics™ DataFlowML	All Versions until 4.00.00 (including)
FactoryTalk Analytics DataView	All
Firewall Managed Support – Cisco FirePOWER® Thread Defense	9300-FMAN, 9300-FSYS Version 6.2.3 – 7.1.0

Vulnerability Details

CVE-2021-44228: Apache Log4j2 JNDI features do not help protect against attacker-controlled LDAP and other JNDI related endpoints

Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker-controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVSS v3.1 Base Score: 10/10 [Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack.

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property log4j2.noFormatMsgLookup to true do NOT mitigate this specific vulnerability.

CVSS v3.1 Base Score: 3.7/10 [Moderate]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2021-4104: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

CVSS v3.1 Base Score: 8.1/10 [High]
CVSS V3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2019-17571: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

CVSS v3.1 Base Score: 9.8/10 Critical]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability	Products Affected	Suggested Actions
CVE-2021-44228	Plex Industrial IoT	This product has been updated to version 2.17.1 and all vulnerabilities are mitigated at this time. No user action is required.
	Fiix CMMS core V5	The product has been updated to remove Log4j completely and is no longer vulnerable. No user interaction is required.
	Warehouse Management Version 4.01.00, 4.02.00, 4.02.01, 4.02.02	Customers should upgrade to version 4.02.03, which has been released to mitigate this vulnerability.
	MES EIG 3.03.00	This product is currently discontinued and therefore no patch will be provided. Customers should upgrade to EIG Hub if possible or work with their local representatives about alternative solutions.
	Industrial Data Center (9300-NS-ESSENTIAL, 9300-NS-ESSENTIALPLUS) – Gen 1, Gen 2, Gen 3, Gen 3.5	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers with a with VNxE, follow the mitigation outlined by Dell in DSA-2021-298. - For non-managed support customers with a Data Domain, follow the mitigation outlined by Dell in DSA-2021-274
	VersaVirtual (9300-VV2000RN, 9300-VV2000EN, 9300-VV1000RN, 9300-VV1000EN) – Series A	- For non-managed support customers, follow the mitigation instructions outlined by VMware in VMSA-2021-0028.2. - For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager.
	FactoryTalk Analytics DataFlowML	Customers should upgrade to version 4.00.01, which has been released to mitigate this vulnerability. It is recommended that customers not use DataFlow ML prior to version 4.00.01.
	FactoryTalk Analytics DataView 3.02	Customers are required to upgrade from 3.02 to 3.03.01. Customers who have prior versions are required to upgrade to 3.02 first. It is recommended that customers not use DataFlow ML prior to version 4.00.00.
	Firewall Managed Support – Cisco Firepower Thread Defense (9300-FMAN, 9300-FSYS) Version 6.2.3 – 7.1.0	- For managed support customers, Rockwell Automation support team will be reaching out to affected customers to implement mitigation steps. For specific site details, please contact the support team or your Customer Success Manager. - For non-managed support customers, follow the mitigation instructions outlined by Cisco in CSCwa46963.
CVE-2021-45046, CVE-2021-4104, CVE-2019-17571	No products affected at this time.

Products Using Log4j 1.2
A number of Rockwell Automation products contain log4j libraries that may be detected by various scanning tools. These products do not use the JMSAppender nor the Socket Server and are not vulnerable to CVE-2021-4104 and CVE-2019-17571:

Products Evaluated and Not Affected	Suggested Actions
Factory Talk Analytics Data View 3.02.00, 3.03.00, 4.00.00, 4.01.00	No actions are needed as these products do not use the JMSAppender nor the Socket Server and therefore are not vulnerable.
Data Scheduler
FactoryTalk Augmented Modeler
Factory Talk Analytics Data Flow ML 2.01
Factory Talk Analytics Information Platform
Live Transfer 10.4, 11.0
Pavilion8
Factory Talk Analytics Security Provider 3.02.00, 3.03.00
PanelView 5000
FactoryTalk Production Centre (All Versions)
Factory Talk Pharma Suite (All Versions)
Studio 5000 View Designer	Studio 5000 does not use the JMSAppender nor the Socket Server and is not vulnerable.  Note: Studio 5000 consists of Studio 5000 Logix Designer and Studio 5000 View Designer.  If Logix Designer is the only component required, then View Designer version 8 or older may be removed by uninstalling it using the Windows Add/Remove Programs feature.  Uninstall “Studio 5000 View Designer”.  This will remove the log4j 1.2x library completely.  Alternatively, update Studio 5000 View Designer to version 9 or later which has updated log4j libraries that are not vulnerable.

General Security Guidelines

See the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located in PN1354 – Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website .

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
Visit links below for more mitigation techniques

ADDITIONAL LINKS

Critical

PN1567 | PN1567 | ISaGRAF Runtime Affected by Multiple Vulnerabilities

Published Date:

December 30, 2021

Last Updated:

December 30, 2021

CVE IDs:

CVE-2020-25184, CVE-2020-25180, CVE-2020-25176, CVE-2020-25182, CVE-2020-25178

Products:

AADvance, ISaGRAF, Micro800

CVSS Scores:

9.1, 7.8, 5.3, 7.5, 6.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision Number

1.3

Revision History

Version 1.3 – March 19^th, 2024. Added AADvance Eurocard controller to Affected Products and Updated Suggested Actions for AADvance Eurocard controller

Version 1.2 - December 30, 2021. Updated Suggested Actions for AADvance® Controller version 1.40 and earlier

Executive Summary

Rockwell Automation received a report from Kaspersky regarding five vulnerabilities in ISaGRAF^® Runtime 4 and 5. If successfully exploited, these vulnerabilities may result in remote code execution, information disclosure, or denial of service.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

ISaGRAF Runtime 4.x and 5.x
The following Rockwell Automation products are based on ISaGRAF to design integrated automation solutions:

AADvance^® Controller version 1.32 and earlier
ISaGRAF Free Runtime in ISaGRAF6 Workbench version 6.6.8 and earlier
Micro800™ family, all versions

Vulnerability Details

CVE-2020-25176: Code Execution due to Relative Path Traversal
Some commands used by the ISaGRAF eXchange Layer (IXL) protocol perform various file operations in the file system. Since the parameter pointing to the file name is not checked for reserved characters, it is possible for a remote attacker authenticated on the IXL protocol to traverse an application’s directory, which could lead to remote code execution.

CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2020-25184: Information Disclosure due to cleartext storage of passwords in a file and memory
ISaGRAF Runtime stores the password in plaintext in a file which is located in the same directory with the executable file. ISaGRAF Runtime reads the file and saves the data in a variable without any additional modification. A local, unauthenticated attacker could compromise the user passwords resulting in information disclosure.

CVSS v3.1 Base Score: 7.8/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25178: Information Disclosure due to Cleartext Transmission of Information
ISaGRAF Workbench communicates with ISaGRAF Runtime using TCP/IP. The communication protocol provides various file system operations as well as uploading applications. Data is transferred over this protocol unencrypted, which could allow a remote, unauthenticated attacker to upload, read and delete files.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2020-25182: Code Execution due to Uncontrolled Search Path Element
ISaGRAF Runtime searches and loads DLLs as dynamic libraries. Uncontrolled loading of dynamic libraries could allow a local, unauthenticated attacker to execute arbitrary code. This vulnerability only affects Microsoft Windows systems running ISaGRAF Runtime.

CVSS v3.1 Base Score: 6.7/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25180: Information Disclosure due to Hard-coded Cryptographic Key
ISaGRAF Runtime includes the functionality of setting a password which is required to execute privileged commands. The password value passed to ISaGRAF Runtime is the result of encryption performed with a fixed key value using the Tiny Encryption Algorithm (TEA) on a password that has been entered or saved. A remote, unauthenticated attacker could pass his own encrypted password to the ISaGRAF 5 Runtime, which may result in information disclosure on the device.

CVSS v3.1 Base Score: 5.3/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software and are directed towards risk mitigation. Customers are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.

Vulnerability	Affected Products	Suggested Mitigations
CVE-2020-25176	AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3 Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, customers are encouraged to restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate vulnerability. For Micro800 family, to reduce risk, customers are encouraged to help protect the controller with a password. Additionally, customers deploying Micro870®, Micro850®, or Micro830® controllers are encouraged to put the controller's mode switch to "RUN". Customers are encouraged to restrict or block traffic on TCP 44818 from outside the industrial control system network zone. Customers should also confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products . Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25178	AADvance Controller ISaGRAF5 Runtime Micro800 family AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25182	ISaGRAF5 Runtime	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use.
CVE-2020-25184	AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller	Rockwell Automation recommends upgrading to ISaGRAF Runtime 5 version 5.72.00 and AADvance Controller firmware to version 1.041.3. Customers should confirm that the least-privilege user principle is followed, and user/service account access to Runtime's folder location is granted with a minimum number of rights as needed. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041
CVE-2020-25180	AADvance Controller ISaGRAF5 Runtime AADvance Eurocard controller	To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies. Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances. For ISaGRAF, restrict or block traffic on TCP 1131 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by ISaGRAF refer to product documentation. Since ISaGRAF 5 Runtime is provided to a customer as a development kit, implementing least-privilege may vary from implementation to implementation based on the hardware in use. For AADvance controllers, Customers should update to version 1.041.3 to mitigate this vulnerability. Rockwell Automation recommends upgrading to AADvance Eurocard Controller firmware to version 1.041

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to help ensure that any communication protocols from unauthorized sources are blocked.
Block traffic to all protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to ports using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports, refer to the product documentation.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 - Using Rockwell Automation Software Products with AppLocker.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources is only granted with a minimum number of rights as needed.
Do not open untrusted .isasln and .acfproj files with ISaGRAF6 Workbench.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1580 | PN1580 | GOAhead Web Server vulnerability in 1783-NATR

Published Date:

December 16, 2021

Last Updated:

December 16, 2021

CVE IDs:

CVE-2019-5097, CVE-2019-5096

Products:

Network Address Translation (NAT) Device

CVSS Scores:

7.5, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.2

Revision History

Version 1.0 – December 15, 2021
Version 1.1 - December 16, 2021: Updated Suggested Actions
Version 1.2 – January 21, 2021: Updated Suggested Actions To Mitigate

Executive Summary

Rockwell Automation received a report from Cisco® Talos™ Researchers regarding two vulnerabilities in the 1783-NATR. If successfully exploited, these vulnerabilities may result in remote code execution on the device through the GoAhead web server and a denial-of-service condition.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Detailed Information

CVE-2019-5096: GoAhead web server allows unauthenticated HTTP requests that may result in remote code execution

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures, which would result in the ability for the attacker to execute remote code execution.

CVSS v3.1 Base Score: 9.8/10[Critical}

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2019-5097: GoAhead web server allows specially crafted HTTP requests that may result in a denial-of-service for the device.

A remote unauthenticated attacker may be able to send a specially crafted HTTP request that can lead to an infinite loop in the process. The request can be unauthenticated in the form of GET or POSTS requests and does not require the requested resource on the server, which would lead to a denial-of-service attack on the device.

CVSS v3.1 Base Score: 7.5/10 [High]
CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

1783-NATR version 1.005

Risk Mitigation & User Action

Customers using the affected 1783-NATR are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2019-5096	Upgrade firmware to version 1.006 to mitigate this vulnerability.
CVE-2019-5097	Upgrade firmware to version 1.006 to mitigate this vulnerability.

General Security Guidelines

Network-based vulnerability mitigations for embedded products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that HTTP port 80 from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to Port#80 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products .

General mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/security notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Additional Links

Critical

PN1494 | VxWorks Vulnerabilities affect Programmable Automation Controllers, EtherNet/IP Communication Modules, I/O Modules, Kinetix 6500 Servo Drive, High-Frequency RFID Interface Block

Published Date:

August 11, 2021

Last Updated:

October 04, 2024

CVE IDs:

CVE-2019-12260, CVE-2019-12265, CVE-2019-12257, CVE-2019-12258, CVE-2019-12256, CVE-2019-12255, CVE-2019-12263, CVE-2019-12262, CVE-2019-12264, CVE-2019-12261, CVE-2019-12259

Products:

Network Address Translation (NAT) Device, 5069 Compact I/O, 1732E ArmorBlock I/O, Ethernet/IP Connected Products, High-Frequency RFID, 1756 ControlLogix I/O

CVSS Scores (v3.1):

9.8, 8.8, 7.5, 8.1, 6.3, 7.1, 5.4

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Revision History

Revision Number

1.0

Revision History

October 1, 2024 – Version 1.6 Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.
11-November-2020 - Version 1.3. Corrected suggested actions.
16-November-2019 - Version 1.2. Updated Advisory.
30-July-2019 - Version 1.0. Initial Release.

Revision History

Revision Number

1.1

Revision History

09-October-2019 - Updated Advisory

On October 1st, 2019, it was reported (ICS-CERT Advisory: ICSA-19-274-01) that the series of TCP/IP stack vulnerabilities originally reported as impacting VxWorks systems were now found to impact additional real-time operating system vendors including ENEA, Green Hills Software, ITRON, and IP Infusion. Rockwell Automation is not aware of any products affected by the new advisory. An investigation is ongoing and this advisory will be updated when the investigation is complete.

Revision History

Revision Number

1.2

Revision History

16-November-2019 - Updated Advisory

Rockwell Automation completed an investigation into the additional, impacted real-time operating systems reported in ICS-CERT Advisory: ICSA-19-274-0, and concluded that no products are affected by this new advisory.

Revision History

Revision Number

1.3

Revision History

2-November-2020. Corrected suggested actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580 and CompactLogix. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History

Revision Number

1.4

Revision History

02-March-2020 - Version 1.4. Updated suggested risk mitigation & user actions.

The Rockwell Automation PSIRT has updated the suggested actions for the for the ControlLogix 5580, GuardLogix 5580, CompactLogix 5380, and CompactLogix 5380. Please refer to the Risk Mitigation & User Action section below for more information.

Revision History

Revision Number

1.5

Revision History

04-August-2021 – Version 1.5 Updated firmware available for 1747-AENTR and 1769-AENTR

Revision History

1.6

October 1, 2024 – Updated Affected Catalog Numbers and Suggested Actions for ControlLogix EtherNet/IP Module

Executive Summary

Armis, an Internet of Things (IoT) security firm, reported a total of eleven vulnerabilities to WindRiver that affect VxWorks, a real-time operating system (RTOS) utilized by many different technology vendors, including Rockwell Automation™. These vulnerabilities, if successfully exploited, may result in several impacts ranging from packet information disclosure to allowing a threat actor to execute arbitrary code on the targeted device.

Not every VxWorks vulnerability applies to every impacted product family. Please see the table under Affected Products for a full list of the potentially affected Rockwell Automation products and the corresponding VxWorks vulnerabilities, which are identified by their Common Vulnerabilities and Exposures (CVE) ID.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product Family

Catalogs

CVE-2019-12255

CVE-2019-12256

CVE-2019-12257

CVE-2019-12258

CVE-2019-12259

CVE-2019-12260

CVE-2019-12261

CVE-2019-12262

CVE-2019-12263

CVE-2019-12264

CVE-2019-12265

CompactLogix™ 5480 (EPIC controller)

5069-L4

x

Compact 5000™ I/O EtherNet/IP Adapter

5069-AEN2TR

x

ControlLogix® 5580 (+ GuardLogix®)

1756-L8

x

CompactLogix Compact GuardLogix 5380

5069-L3
5069-L3S2

x

CompactLogix 5370

1769-L3

x

CompactLogix GuardLogix 5370

1769-L3S

x

CompactLogix 5370

1769-L2

x

CompactLogix 5370

1769-L1

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/A

x

ControlLogix EtherNet/IP Module

1756-EN2TSC/B

x

ControlLogix EtherNet/IP Module

1756-EN2T/C

x

ControlLogix EtherNet/IP Module

1756-EN2T/D

x

ControlLogix EtherNet/IP Module

1756-EN4TR

x

ControlLogix EtherNet/IP Module

1756-EN2TP/A

x

ControlLogix EtherNet/IP Module

1756-EN2TR/B

x

ControlLogix EtherNet/IP Module

1756-EN2TR/C

x

ControlLogix EtherNet/IP Module

1756-EN3TR/A

x

ControlLogix EtherNet/IP Module

1756-EN3TR/B

x

X

ControlLogix EtherNet/IP Module

1756-EN2F/B

x

ControlLogix EtherNet/IP Module

1756-EN2F/C

x

ControlLogix EtherNet/IP Module

1756-EN2TRXT

x

1783-NATR, Network Address Translation Router

1783-NATR

x

ArmorBlock® I/O Modules

1732E-8CFGM8R

x

ArmorBlock I/O Modules

1732E-IB8M8SOER

x

ArmorBlock I/O Modules

1732E-IF4M12R

x

ArmorBlock I/O Modules

1732E-IR4M12R

x

ArmorBlock I/O Modules

1732E-IT4M12R

x

ArmorBlock I/O Modules

1732E-OB8M8SR

x

ArmorBlock I/O Modules

1732E-OF4M12R

x

ArmorBlock I/O Modules

1732E-8IOLM12R

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPD22A

x

Bulletin 56RF High-Frequency RFID

56RF-IN-IPS12

x

SLC™ 500 EtherNet/IP Adapter

1747-AENTR

x

CompactLogix E/IP Adapter

1769-AENTR

x

Kinetix® 6200 Servo Multi-axis Drives

2094-SE02F-M00-Sx

x

Kinetix® 6500 Servo Multi-axis Drives

2094-EN02D-M01-Sx

x

Vulnerability Details

Vulnerability #1: TCP Urgent Pointer = 0 leads to integer underflow
A remote, unauthenticated threat actor could either hijack an existing TCP session or establish a new TCP session to inject malformed TCP packets to the device, resulting in a denial of service condition to the application, or could allow the execution of arbitrary code on the affected device. Products implementing non-executable memory mitigations reduce the risk of exploitation.

CVE-2019-12255 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #2: Stack overflow in the parsing of IPv4 packets’ IP options
A remote, unauthenticated threat actor could send invalid IPv4 packets, resulting in a crash to the task that receives or transmits any Ethernet packets, or could allow the execution of arbitrary code on the affected device.

CVE-2019-12256 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #3: Heap overflow in DHCP Offer/ACK parsing inside ipdhcpc
A remote, unauthenticated threat actor could utilize this vulnerability overwrite the heap, which may result in a crash later on when a task requests memory from the heap.

CVE-2019-12257 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #4: Denial of Service (DoS) of TCP connection via malformed TCP options
A remote, unauthenticated threat actor who is able to figure out the source and destination TCP port and IP addresses of a session could potentially inject invalid TCP segments which cause the TCP session to be reset, resulting in a crash of the application that is reading from the affected socket.

CVE-2019-12258 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned.

Vulnerability #5: DoS via NULL dereference in IGMP parsing
An unauthenticated threat actor on the same Local Area Network (LAN) as the victim system may use this vulnerability to cause a Denial of Service condition to the task that receives and transmits Ethernet packets.

CVE-2019-12259 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned.

Vulnerability #6: TCP Urgent Pointer state confusion caused by malformed TCP AO option
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12260 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned.

Vulnerability #7: TCP Urgent Pointer state confusion during connect() to a remote host
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12261 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (“CVSS”) v3.0. A CVSS v3 base score of 8.8 has been assigned.

Vulnerability #8: Handling of unsolicited Reverse Address Resolution Protocol (ARP) replies
A threat actor on the same LAN as the victim system can send reverse-ARP responses to the victim system and assign IPv4 addresses to the target, which could potentially result in network connectivity issues if any of the ARP values collide.

CVE-2019-12262 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #9: TCP Urgent Pointer state confusion due to race condition
A threat actor could utilize this vulnerability to cause a buffer overflow and result in a crash the application that reads from the affected TCP socket, or could potentially allow the execution of arbitrary code on the affected device.

CVE-2019-12263 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned.

Vulnerability #10: Logical flaw in IPv4 assignment by the ipdhcpc DHCP client
A threat actor on the same LAN as the victim system could hijack a DHCP client session which may result in the victim incorrectly assigning a multicast IP address that originated from the threat actor.

CVE-2019-12264 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned.

Vulnerability #11: IGMP information leak via IGMPv3 specific membership report
This vulnerability may allow a threat actor on the same LAN as the victim system to transmit packets to the network that may contain information from packets that were previously sent/received by the network stack.

CVE-2019-12265 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned.

Risk Mitigation & User Action

Customers using affected products are encouraged evaluate their risk and when possible, combine the following risk mitigation strategies provided below with the general security guidelines.

Ensure all devices are placed behind an external firewall and add a rule to drop or block any TCP segment where the “URG-flag” is set.
Take the suggested actions for the products in the table below:

Product

Catalog Numbers

Suggested Actions

CompactLogix™ 5480 (EPIC Controller)

5069-L4

Upgrade to firmware version 32.013 (Download) or later.

Compact 5000™ I/O EtherNet/IP Adapter

5069-AEN2TR

Will not be patched. Suggested action is to migrate to the 5069-AENTR.

ControlLogix EtherNet/IP Module

1756-EN2TSC/A
1756-EN2TSC/B

Will not be patched as it has been discontinued.

ControlLogix EtherNet/IP Module

1756-EN2T/D
1756-EN2TP/A

1756-EN2TR/C
1756-EN2F/C
1756-EN4TR

1756-EN3TR/B

Upgrade to firmware version 11.002 (Download) or later.
(1756-EN4TR only) Upgrade to firmware version 3.001 (Download) or later.

ControlLogix EtherNet/IP Module

1756-EN2T/C

1756-EN2F/B

1756-EN2TR/B

1756-EN3TR/A

No fix . Upgrade to 1756-EN2T/D, 1756-EN2TP/A, 1756-EN2TR/C, 1756-EN2F/C
1756-EN4TR, or 1756-EN3TR/B

ControlLogix 5580

1756-L8

Upgrade to firmware version 30.015 (Download) or version 31.013 (Download) or version 32.013 (Download) or later.

GuardLogix 5580

1756-L8S

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.

CompactLogix 5380

5069-L3

Upgrade to firmware version 30.015 (Download) version 31.013 (Download) or version 32.013 (Download) or later.

Compact GuardLogix 5380

5069-L3S2

Upgrade to firmware version 31.013 (Download) or version 32.013 (Download) or later.

CompactLogix 5370

1769-L3
1769-L2
1769-L1

Upgrade to firmware version 32.013 (Download) or later.

CompactLogix GuardLogix 5370

1769-L3S

Upgrade to firmware version 28.015 (Download) or version 32.013 (Download) or later.

1783-NATR, Network Address Translation Route

1783-NATR

Upgrade to firmware version 1.005 (Download) or later.

Kinetix® 6200 Servo Multi-axis Drives

2094-SE02F-M00-Sx

Upgrade to firmware version 1.050 (Download) or later.

Kinetix® 6500 Servo Multi-axis Drives

2094-EN02D-M01-Sx

Upgrade to firmware version 3.005 (Download) or later.

SLC 500 EtherNet/IP Adapter

1747-AENTR

Upgrade to firmware version 2.003 (Download) or later.

CompactLogix E/IP Adapter

1769-AENTR

Upgrade to firmware version 1.002 (Download) or later.

General Security Guidelines

Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222, Port# 44818, Port #80, and Port #161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Please recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1575 | PN1575 | Interniche Vulnerabilities present in Rockwell Automation Products – “INFRA:HALT”

Published Date:

August 09, 2021

Last Updated:

September 09, 2025

CVE IDs:

CVE-2020-25767, CVE-2020-35684, CVE-2020-35685, CVE-2021-31400, CVE-2021-36762, CVE-2020-25926, CVE-2021-31226, CVE-2021-31401, CVE-2021-31228, CVE-2020-25928, CVE-2020-25927, CVE-2021-31227, CVE-2020-27565, CVE-2020-35683

Products:

AADvance, 1715 Distributed I/O, 1715 Redundant I/O, ArmorStart

CVSS Scores:

8.2, 4.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 - September 9, 2025

Version 1.0 – August 9, 2021

Executive Summary

Rockwell Automation received a report from CERT/CC with research done by Forescout Technologies and Vdoo regarding fourteen vulnerabilities in the products listed below. If successfully exploited, these vulnerabilities may result in the products faulting and/or ceasing communications, requiring the power to be cycled to the product to recover.

Customers using affected versions of these products are encouraged to evaluate the following mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Update 2.0 - September 9, 2025

Fix available for 1715-AENTR vulnerabilities

Product

Vulnerability

Affected Versions

Remediation

1715-AENTR

CVE-2020-35683

CVE-2020-35684

CVE-2020-35685

CVE-2021-31400

CVE-2021-31401

Firmware 3.003 and previous

Upgrade to Version 3.011 or later.

Affected Products

20-COMM-ER	All Versions
ArmorStart 28xE	All Versions
1715-AENTR	All Versions
AADvance Safety Controller	All Versions
AADvance Eurocard Controllers	All Versions

Vulnerability Details

CVE-2020-25767: Malformed DNS Response could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to form a malformed response to a DNS request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-25928: Malformed DNS Response could cause a device to fault due to a heap overflow.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in a heap-buffer overflow resulting in a possible information leak, remote code execution, or the device to fault and/or cease communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 9.8/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-25927: Malformed DNS Response could cause a device to fault.

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed DNS response, which would result in an Out-of-Bounds read resulting in a device fault and/or cessation of communications requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 8.2/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE-2020-25926: Insufficiently randomized transaction IDs could facilitate DNS cache poisoning attacks

A REMOTE, UNAUTHENTICATED attacker may be able to poison the DNS cache of the device due to transaction IDs not being properly randomized.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE-2020-27565: Malformed HTTP request could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35683: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35684: Malformed ICMP packet could cause a device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed ICMP packet, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-35685: TCP connections may be hikjacked due to an insufficiently random source

A REMOTE, UNAUTHENTICATED attacker may be able to hijack a TCP connection and spoof the device’s network connections.
See the links at the end of the article to obtain more technical information regarding this vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31400: Malformed TCP segment could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP segment, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31401: Malformed TCP header could cause device to fault

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed TCP header, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31226: Malformed HTTP POST request could cause device to fault or bypass authentication

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle, or possibly bypassing an authentication attempt.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 9.1/10 [CRITICAL]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2021-31227: Malformed HTTP POST request could cause device to fault by overwriting memory

A REMOTE, UNAUTHENTICATED attacker may be able to send a malformed HTTP Post request, which would result in the device faulting and/or ceasing communications and requiring a power cycle.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 7.5/10 [HIGH]
Researcher CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2021-31228: Non-random source port could lead to a spoofed DNS response

A REMOTE, UNAUTHENTICATED attacker may be able to spoof a DNS response, which would result in the device communicating with a potentially malicious server.
See the links at the end of the article to obtain more technical information regarding the vulnerability.

Researcher CVSS v3.1 Base Score: 4.0/10 [MEDIUM]
Researcher CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N

CVE-2021-36762: TFTP packet processing function does not ensure that the filename is null-terminated

Rockwell Automation is not impacted by this vulnerability

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Product	Vulnerability	Mitigation
20-COMM-ER	CVE-2021-31226 CVE-2021-31227	Disable the webserver. See the product’s user manual for the procedure to do this.

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to help confirm that DNS traffic from unauthorized sources is blocked.

Block traffic to port 80 (HTTP) and ICMP traffic using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1571 | PN1571 | MicroLogix 1100 Persistent CPU Fault Vulnerability

Published Date:

July 09, 2021

Last Updated:

July 09, 2021

CVE IDs:

CVE-2021-33012

Products:

1763 MicroLogix 1100

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – July 9, 2021. Initial Release

Executive Summary

Rockwell Automation received a report from Beau Taub at Bayshore Networks regarding a vulnerability in the MicroLogix 1100. If successfully exploited, this vulnerability may limit the availability of the programmable logic controller. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2021-33012: Persistent fault may lead to denial of service conditions.

A vulnerability exists in the MicroLogix 1100 that may allow a remote, unauthenticated attacker to cause a persistent fault condition. This condition will prevent the PLC from entering a RUN state which cannot be fixed by resetting the device. If successfully exploited, this vulnerability will cause the controller to fault when the controller is switched to RUN mode.

CVSS v3.1 Base Score: 8.6 /10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability	Suggested Actions
CVE-2021-33012	Put the controller mode switch to “Run” mode. Customer’s should consider migrating to a more contemporary controller. Customers are encouraged to have a backup copy of the project in the case it is necessary to recover from an event.

A controller in this state can be recovered by downloading a new project to the controller or an offline copy of the project.

Additionally, Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Use proper network infrastructure controls, such as firewalls, to help confirm that EtherNet/IP™ network traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1569 | PN1569 | FactoryTalk Security Remote Desktop Connection ‘Computer Name’ Policy Bypass Vulnerability

Published Date:

June 10, 2021

Last Updated:

June 10, 2021

CVE IDs:

CVE-2021-32960

Products:

FactoryTalk Services Platform

CVSS Scores:

8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 10, 2021. Initial Release.

Executive Summary

Rockwell Automation discovered a vulnerability in FactoryTalk^® Security, part of FactoryTalk Service Platform. This vulnerability, if successfully exploited, may allow remote, authenticated users to bypass FactoryTalk Security policies that are based on a computer name. These policies may be important to customers who are concerned about users at an engineering workstation having ‘line-of-site’ visibility to the systems they are operating.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed.

Vulnerability Details

CVE-2021-32960: FactoryTalk Security protection mechanism failure for remote desktop connections
FactoryTalk Services Platform contains a vulnerability that may allow a remote, authenticated attacker to bypass FactoryTalk Security policies based on the computer name. If successfully exploited, this may allow an attacker to have the same privileges as if they were logged on to the client machine.

CVSS v3.1 Base Score: 8.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-32960	Apply FactoryTalk Services Platform v6.20 or later.

If upgrade is not possible, customers should consider the following guidance:

When possible, do not utilize remote desktop connections.
Use Microsoft® Event Logger or similar event logging application to monitor atypical remote desktop connections and disconnections. Information on Setting up Windows® Event Logs is available at Knowledgebase Article QA5965.

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1566 | PN1566 | Micro800 and MicroLogix 1400 Vulnerable to Man-in-the-Middle Attack

Published Date:

May 25, 2021

Last Updated:

May 25, 2021

CVE IDs:

CVE-2021-32926

Products:

Micro800, 1766 MicroLogix 1400

CVSS Scores:

6.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – May 25, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Adeen Ayub from Virginia Commonwealth University, Hyunguk Yoo from The University of New Orleans, and Irfan Ahmed from Virginia Commonwealth University regarding a man-in-the-middle vulnerability in the Micro800™ and MicroLogix™ 1400. If successfully exploited, this vulnerability may result in denial-of-service conditions. To recover from this condition, a firmware flash on the controller will need to be performed. Firmware flashing will put the controller into the default state and the user program and data will be lost.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Micro800, all versions.
MicroLogix 1400, version 21 and later when Enhanced Password Security enabled.

Vulnerability Details

CVE-2021-32926: Improper authentication may lead to denial of service conditions
A vulnerability exists in how the Micro800 and MicroLogix 1400 controllers authenticate password change requests. If successfully exploited, this vulnerability may allow a remote, unauthenticated attacker to perform a man –in-the-middle attack in which the attacker intercepts the message that includes the legitimate, new password hash and replaces the legitimate password hash with an illegitimate hash. The user would no longer be able to authenticate to the controller causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.1/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. Rockwell Automation has determined that this vulnerability cannot be remediated with a patch. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Vulnerability	Suggested Actions
CVE-2021-32926	Confirm that setting and updating the password for the controller is done within a trusted network environment that is only accessible to authorized users.

If this vulnerability is successfully exploited, the password can be reset by performing a firmware flash on the controller. The password can be reset by performing a firmware flash on the controller. Firmware flashing will put the controller into the default state and the user program and data will be lost.

A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage the vulnerability, an unauthorized user would require access to the same network as the controller. Customers should confirm they are employing proper networking segmentation and security controls.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines on how to use Rockwell Automation products to improve the security of their industrial automation systems.

General Security Guidelines

Use proper network infrastructure controls, such as firewalls, to confirm that CIP™ traffic from unauthorized sources is blocked.
Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1565 | PN1565 | Connected Components Workbench Vulnerable to Multiple Phishing-Style Attacks

Published Date:

May 13, 2021

Last Updated:

May 13, 2021

CVE IDs:

CVE-2021-27473, CVE-2021-27471, CVE-2021-27475

Products:

Connected Components Workbench

CVSS Scores:

6.1, 7.7, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - May 13, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Mashav Sapir of Claroty regarding three vulnerabilities in Connected Components Workbench™. If successfully exploited, these vulnerabilities may result in directory traversal, privilege escalation, and arbitrary code execution. These vulnerabilities all require user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench v12.00.00 and below.

Vulnerability Details

CVE-2021-27475: Deserialization of untrusted data may result in arbitrary code execution
Connected Components Workbench does not limit the objects, which can be deserialized. This vulnerability allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in remote code execution. This vulnerability requires user interaction to be successfully exploited.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27471: Directory traversal vulnerability may lead to privilege escalation
The parsing mechanism that processes certain file types does not provide input sanitization for file paths. This may allow an attacker to craft malicious files that when opened by Connected Components Workbench can traverse the file system. If successfully exploited, an attacker would be able to overwrite existing files and create additional files with the same permissions of the Connected Components Workbench software. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 7.7/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2021-27473: Improper input sanitization may lead to privilege escalation
Connected Components Workbench does not to sanitize paths specified within the .ccwarc archive file during extraction. This type of vulnerability is also commonly referred to as a Zip Slip. A local, authenticated attacker can create a malicious .ccwarc archive file that when opened by Connected Components Workbench will allow the attacker to gain the privileges of the software. If the software is running at SYSTEM level, the attacker will gain admin level privileges. User interaction is required for this exploit to be successful.

CVSS v3.1 Base Score: 6.1/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Risk Mitigation & User Action

Customers using the affected software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-27475 CVE-2021-27471 CVE-2021-27471	Upgrade to Connected Components Workbench v13.00.00 or later. (Link)

If upgrade is not possible, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted .ccwarc, files with Connected Components Workbench. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft® AppLocker or another similar allow list application that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1564 | PN1564 | DNS Name:Wreck Vulnerabilities Affect Multiple Rockwell Automation Products

Published Date:

April 28, 2021

Last Updated:

April 28, 2021

CVE IDs:

CVE-2016-20009

Products:

5069 CompactLogix, Communications Modules, 1769 CompactLogix Controllers, 1756 ControlLogix

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 26, 2021. Initial release.

Revision History

Revision Number

1.1

Revision History

Version 1.1 - April 28, 2021. Updated affected products and suggested user actions.

Executive Summary

On April 12, 2021 Forescout and JSOF released a report titled "NAME:WRECK" regarding nine DNS-related vulnerabilities against 4 TCP/IP stacks utilized by many different technology vendors, including Rockwell Automation™. Rockwell Automation is impacted by one of these nine reported vulnerabilities. This vulnerability, if successfully exploited, may result in remote code execution.

Rockwell Automation continues to investigate impact of these vulnerabilities and will update this advisory if additional products are impacted. We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Customers using potentially affected products are encouraged to evaluate their own systems and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerablity and recommended countermeasures, are provided herein.

Affected Products

Product Family	Catalogs	Affected Versions
Compact 5000™ I/O EtherNet/IP Adapter	5069-AEN2TR	All versions.
CompactLogix 5370	1769-L1y 1769-L2y 1769-L3y	All versions prior to v30.
CompactLogix 5370	1769-L3yS	All versions prior to v30, excluding v28.015
ControlLogix® 5580	1756-L8	All versions prior to v30.
CompactLogix 5380	5069-L3	All versions prior to v30.
ControlLogix EtherNet/IP Module	1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A	All versions prior to v11.001.
ControlLogix EtherNet/IP Module	1756-EN2TP/A	All versions prior to v10.020.

Note: GuardLogix^® 5580 and Compact GuardLogix^® 5380 are not affected by this vulnerability.

Vulnerability Details

CVE-2016-20009: Stack-based overflow in the IPnet may lead to remote code execution
In Wind River VxWorks versions 6.5 through 7, the DNS client (IPnet) has a stack-based overflow on the message decompression function. This may allow a remote, unauthenticated attacker to perform remote code execution.

CVSS v3.1 Base Score: 9.8/10[CRITICAL]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalogs	Suggested Actions
Compact 5000™ I/O EtherNet/IP Adapter	5069-AEN2TR	Will not be patched. Suggested action is to migrate to the 5069-AENTR.
CompactLogix 5370	1769-L1y 1769-L2y 1769-L3y	Apply v30 or later.
CompactLogix 5370	1769-L3yS	Apply v28.015 or v30 or later
ControlLogix® 5580	1756-L8	Apply v30 or later.
CompactLogix 5380	5069-L3	Apply v30 or later.
ControlLogix EtherNet/IP Module	1756-EN2T/D 1756-EN2TK/D 1756-EN2TXT/D 1756-EN2F/C 1756-EN2FK/C 1756-EN2TR/C 1756-EN2TRK/C 1756-EN2TRXT/C 1756-EN3TR/B 1756-EN3TRK/B 1756-EN2TPK/A 1756-EN2TPXT/A	Apply v11.001 or later.
ControlLogix EtherNet/IP Module	1756-EN2TP/A	Apply v10.020 or later.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting which may be used to block unauthorized changes, etc.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knoweldgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1559 | PN1559 | FactoryTalk AssetCentre Vulnerable to Arbitrary Code Execution

Published Date:

April 01, 2021

Last Updated:

April 01, 2021

CVE IDs:

CVE-2021-27466, CVE-2021-27460, CVE-2021-27474, CVE-2021-27468, CVE-2021-27470, CVE-2021-27462, CVE-2021-27464, CVE-2021-27476, CVE-2021-27472

Products:

FactoryTalk AssetCentre

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – April 1, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding nine vulnerabilities in FactoryTalk^® AssetCentre software. These vulnerabilities, if successfully exploited, may allow unauthenticated attackers to perform arbitrary command execution, SQL injection, or remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre, v10.00 and earlier.

Vulnerability Details

CVE-2021-27462: Deserialization of untrusted data in AosService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the AosService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27466: Deserialization of untrusted data in ArchiveService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the ArchiveService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27470: Deserialization of untrusted data in LogService.rem service may result in arbitrary command execution
A deserialization vulnerability exists in how the LogService.rem service in FactoryTalk AssetCentre verifies serialized data. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27474: Improperly restricted functions may result in loss of data integrity
FactoryTalk AssetCentre does not properly restrict all functions relating to IIS remoting services. This vulnerability may allow a remote, unauthenticated attacker to modify sensitive data in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27476: RACompareService service vulnerable to OS command injection
A vulnerability exists in the SaveConfigFile function of the RACompareService service that may allow for OS Command Injection. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands in FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27472: SearchService service vulnerable to SQL injection
A vulnerability exists in the RunSearch function of SearchService service, which may allow for the execution of remote unauthenticated arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27468: AosService.rem vulnerable to SQL injection
The AosService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27464: ArchiveService.rem vulnerable to SQL injection
The ArchiveService.rem service exposes functions that lack proper authentication. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary SQL statements.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2021-27460: Server deserialization of untrusted data in .NET remoting endpoints may lead to remote code execution
FactoryTalk AssetCentre components contain .NET remoting endpoints that deserialize untrusted data without sufficiently verifying that the resulting data will be valid. This vulnerability may allow a remote, unauthenticated attacker to gain full access to the FactoryTalk AssetCentre main server and all agent machines.

CVSS v3.1 Base Score: 10/10[Critical]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Vulnerability

Suggested Actions

CVE-2021-27462
CVE-2021-27466
CVE-2021-27470
CVE-2021-27474
CVE-2021-27476
CVE-2021-27472
CVE-2021-27468
CVE-2021-27464
CVE-2021-27460

Apply FactoryTalk AssetCentre v11 or above (Download).

As an additional mitigation, customers who are unable to upgrade or are concerned about unauthorized client connections are encouraged to deploy IPsec, a built in security feature found within FactoryTalk AssetCentre. Users should follow guidance found in QA46277. IPsec would minimize exposure to unauthorized clients and has been tested in FactoryTalk AssetCentre v9 – v11.

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1588 | PN1588 | File Parsing XML Entity in Multiple Products

Published Date:

March 28, 2021

Last Updated:

March 28, 2021

CVE IDs:

CVE-2022-1018

Products:

Using CCW with Micro800 Controllers, ISaGRAF, Using CCW with Component Class Drives, Using CCW with PanelView Component Terminals

CVSS Scores:

5.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.0 – March 28, 2021

Executive Summary

Rockwell Automation received a report from the researcher Kimiya through Trend Micro’s Zero Day Initiative which identified vulnerabilities in Connected Components Workbench, ISaGRAF Workbench and Safety Instrumented Systems Workbench for AADvance and Trusted controllers. If successfully exploited, these vulnerabilities may result in information leakage and loss of confidentiality. This vulnerability requires user interaction through a phishing attack, for example, to be successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Component Workbench Version 12.00 and Below
ISaGRAF Workbench 6.6.9 and below
Safety Instrumented Systems Workstation 1.1 and below

Vulnerability Details

CVE-2022-1018 XML External Entity Leads to Information Leak

When opening a malicious solution file provided by an attacker, the application suffers from an XML External Entity vulnerability due to an unsafe call within a dynamic link library file.

As a result, this could be exploited to pass data of local files of the victim to a remote web server controlled by an attacker leading to a loss of confidentiality.

CVSS v3.1 Base Score: 5.5/10 [Medium]
CVSS v3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected versions of this software are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product	Suggested Actions
Connected Components Workbench Version 12.00 and below	Customers should update to Version 13.00 which mitigates this vulnerability.
ISaGRAF Workbench 6.6.9 and below	It is recommended that customers follow the guidelines below until a patch is available.
SIS Workstation 1.1 and below	Customers should update to version 1.2 which mitigates this vulnerability.

If an upgrade is not possible or available, customers should consider deploying the following mitigations:

Run Connected Components Workbench as a User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Do not open untrusted files with Connected Component Workbench, ISaGRAF, SISW. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Security Guidelines

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the PSIRT Inbox (PSIRT@rockwellautomation.com).

Additional Links

High

PN1558 | PN1558 | Stratix Switches Impacted by IOS and IOS XE Software Vulnerabilities

Published Date:

March 26, 2021

Last Updated:

March 26, 2021

CVE IDs:

CVE-2021-1452, CVE-2021-1442, CVE-2021-1443, CVE-2021-1392, CVE-2021-1403, CVE-2021-1220, CVE-2021-1352

Products:

Stratix 5400 Industrial Ethernet Switch, Stratix 8300 L3 Modular Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 8000 Modular Managed Switch

CVSS Scores:

7.8, 7.4, 6.8, 4.3, 5.5, 7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - March 26, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Cisco regarding eight vulnerabilities in Stratix^® switches. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, unauthorized privilege escalation, web socket hijacking, relative path traversal or command injection.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE ID	Affected Product Family	Affected Versions
CVE-2021-1392	Stratix 5800	16.12.01 and earlier
	Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400	15.2(7)E3 and earlier
	Stratix 8300	All Versions
CVE-2021-1403	Stratix 5800	16.12.01 and earlier
CVE-2021-1352	Stratix 5800	17.04.01 and earlier, if DECnet is enabled.
CVE-2021-1442	Stratix 5800	16.12.01 and earlier
CVE-2021-1452	Stratix 5800	16.12.01 and earlier
CVE-2021-1443	Stratix 5800	17.04.01 and earlier
CVE-2021-1220 CVE-2021- 1356	Stratix 5800	17.04.01 and earlier

Vulnerability Details

CVE-2021-1392: IOS and IOS XE Software Common Industrial Protocol (CIP) Privilege Escalation Vulnerability
A vulnerability in the CLI command permissions of Cisco® IOS and Cisco IOS XE software could allow an authenticated, local attacker to retrieve the password for Common Industrial Protocol (CIP™) and then remotely configure the affected device as an administrative user.

CVSS v3.1 Base Score: 7.8/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1403: IOS XE Software Web UI Cross-Site WebSocket Hijacking Vulnerability
A vulnerability in the web UI feature of Cisco IOS XE software could allow an unauthenticated, remote attacker to conduct a cross-site WebSocket hijacking (CSWSH) attack and cause a denial of service (DoS) condition on an affected device.

CVSS v3.1 Base Score: 7.4/10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H

CVE-2021-1352: IOS XE Software DECnet Phase IV/OSI Denial of Service Vulnerability
A vulnerability in the DECnet protocol processing of Cisco IOS XE software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. An attacker could exploit this vulnerability by sending DECnet traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

This vulnerability affects Stratix 5800 devices if they are running a vulnerable release of Cisco IOS XE software and have the DECnet protocol enabled. DECnet is not enabled by default.

CVSS v3.1 Base Score: 7.4 /10[High]
CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2021-1442: IOS XE Software Plug-and-Play Privilege Escalation Vulnerability
A vulnerability in a diagnostic command for the Plug and Play (PnP) subsystem of Cisco IOS XE software could allow an authenticated, local attacker to elevate privileges to the level of an Administrator on an affected Stratix 5800.

Plug and Play is disabled after Express Setup has completed.

CVSS v3.1 Base Score: 7.0/10[High]
CVSS v3.1 Vector: CVSS: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1452: IOS XE ROM Monitor Software OS Command Injection Vulnerability
A vulnerability in the Stratix 5800 switches could allow an unauthenticated, physical attacker to execute persistent code at boot time and break the chain of trust.

CVSS v3.1 Base Score: 6.8/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2021-1443: IOS XE Software Web UI OS Command Injection Vulnerability
A vulnerability in the web UI of the IOS XE software could allow a remote, authenticated attacker to execute arbitrary code with root privileges on the underlying operating system of the affected device. To exploit this vulnerability, an attacker would need to have Admin credentials to the device.

CVSS v3.1 Base Score: 5.5/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CVE-2021-1220/CVE-2021- 1356: IOS XE Software Web UI Denial-of-Service Vulnerabilities
Multiple vulnerabilities in the Web UI feature of IOS XE software could allow an authenticated, remote attacker with read-only privileges to cause the web management software to hang and consume vty line instances resulting in a denial-of-service (DoS) condition.

CVSS v3.1 Base Score: 4.3/10[Medium]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected Stratix devices are encouraged to update to an available firmware revision that addresses the associated risk.

Where a fix is not yet available, customers are directed towards the risk mitigation strategies provided below, and are encouraged, when possible, to apply general security guidelines to employ multiple strategies simultaneously.

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.

CVE ID	Affected Product Family	Affected Firmware Versions	Suggested Actions
CVE-2021-1392	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
	Stratix 8000 Stratix 5700 Stratix 5410 Stratix 5400	15.2(7)E3 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
	Stratix 8300	All Versions	Migrate to contemporary solution.
CVE-2021-1403	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1352	Stratix 5800	17.04.01 and earlier, if DECnet is enabled.	If possible, disable DECnet protocol completely or on select interfaces. To reduce risk, customers should confirm they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. See the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense in depth strategies.
CVE-2021-1442	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1452	Stratix 5800	16.12.01 and earlier	Apply version 17.04.01 or later.
CVE-2021-1443	Stratix 5800	17.04.01 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.
CVE-2021-1220 CVE-2021- 1356	Stratix 5800	17.04.01 and earlier	Confirm that the least-privilege user principle is followed, and user account access to is only granted with a minimum number of rights as needed.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Us proper network infrastructure controls, such as firewalls, to help confirm that traffic from unauthorized sources is blocked.
Consult the product documentation for specific features, such as a hardware mode switch setting, to which may be used to block unauthorized changes, etc.

Software/PC-based Mitigation Strategies

Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

General Mitigations

Use trusted firmware, antivirus/antimalware programs and interact only with trusted websites and attachments.

Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715..
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

High

PN1551 | PN1551 | 1734-AENTR Series B and Series C Contains Multiple Web Vulnerabilities

Published Date:

March 04, 2021

Last Updated:

March 04, 2021

CVE IDs:

CVE-2020-14504, CVE-2020-14502

Products:

1734 Point I/O

CVSS Scores:

7.5, 4.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 – March 4, 2021. Initial Release.

Executive Summary

Rockwell Automation received a report from Adam Eliot of the Loon Security Team regarding two vulnerabilities in the web interface of the 1734-AENTR Series B and Series C communications module. If successfully exploited, these vulnerabilities may lead to data modification on the device.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1734-AENTR Series B, versions 4.001 to 4.005, and 5.011 to 5.01.
1734-AENTR Series C, versions 6.011 and 6.012.

Vulnerability Details

CVE-2020-14504: Unauthenticated HTTP POST Requests
The web interface of the 1734-AENTR communication module mishandles authentication for HTTP POST requests. A remote, unauthenticated attacker can send a crafted request which may allow for modification of the configuration settings.

CVSSv3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2020-14502: Stored Cross Site Scripting (XXS)
The web interface of the 1734-AENTR Communications module is vulnerable to stored XSS. A remote, unauthenticated attacker could store a malicious script within the web interface that, when executed, could modify some string values on the “Home” page of the web interface.

CVSS v3.1 Base Score: 4.7/10 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Risk Mitigation & User Action

Customers using the affected 1734-AENTR Series B and Series C are encouraged to update to an available firmware version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details	Recommended User Actions
CVE-2020-14504 CVE-2020-14502	1734-AENTR Series B, update to firmware version 5.018. (Download). 1734-AENTR Series C, update to firmware version 6.013. (Download).

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

High

PN1543 | PN1543 | Writable Path Directory in DriveTools SP and Drives AOP

Published Date:

February 15, 2021

Last Updated:

February 15, 2021

CVE IDs:

CVE-2021-22665

Products:

9303 DriveTools SP

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Executive Summary

Rockwell Automation received a report from both Cim Stordal of Cognite and Claroty regarding a vulnerability in DriveTools™ and Drives AOP. If successfully exploited, this vulnerability may result in privilege escalation and total loss of device confidentiality, integrity, and availability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to both Cognite and Claroty for their work discovering this vulnerability.

Affected Products

DriveExecutive v5.13 and below.
DriveTools SP v5.13 and below.
Drives AOP v4.12 and below.

Vulnerability Details

CVE-2021-22665: Privilege Escalation Vulnerability due to Uncontrolled Search Path Element
DriveTools and Drives AOP both contain a vulnerability that a local attacker with limited privileges may be able to exploit resulting in privilege escalation and complete control of the system.

CVSS v3.1 Score: 7.5/10 High
CVSS v3.1 Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2021-22665	Apply DriveTools SP v5.14 or later Download). Apply Drives AOP v4.13 or later (Download).

Customers using affected versions can reach out to their account manager or distributor to request a newer version.

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329 .
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1531 | PN1531 | 1794-AENT Flex I/O Series B Contains Multiple Denial of Service Vulnerabilities

Published Date:

February 02, 2021

Last Updated:

February 02, 2021

CVE IDs:

CVE-2020-6085, CVE-2020-6084, CVE-2020-6088, CVE-2020-6083, CVE-2020-6087, CVE-2020-6086

Products:

Flex I/O, 1794 Flex, 1794/5094 Distributed I/O

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Revision History

November 4, 2020 - Version 1.1. Updated Vulnerability Details.

October 12, 2020 - Version 1.0. Initial Version.

Revision History

Revision Number

2.0

Revision History

February 2, 2021 - Version 2.0. Updated Risk Mitigation & User Actions.

Executive Summary

Rockwell Automation received a report from Jared Rittle of Cisco Talos regarding three vulnerabilities in the 1794-AENT Flex I/O Series B adapter. If successfully exploited, these vulnerabilities may lead to denial-of-service conditions.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1794-AENT Flex I/O, Series B, versions 4.003 (and earlier).

Vulnerability Details

CVE-2020-6083: Denial of Service due to Ethernet/IP Request Path Port Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Port Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6084, CVE-2020-6085: Denial of Service due to Ethernet/IP Request Path Logical Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Logical Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-6086, CVE-2020-6087: Denial of Service due to Ethernet/IP Request Path Data Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Data Segment. This vulnerability could allow a remote unauthenticated attacker to send a malicious packet resulting in the device entering a fault state causing a denial-of-service condition.

CVSS v3.1 Base Score:7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Version 1.1 Update:
CVE-2020-6088: Denial of Service due to Ethernet/IP Request Path Network Segment Buffer Overflow
A buffer overflow vulnerability exists in the Ethernet/IP Request Path Network Segment. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 7.5 /10 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected firmware versions are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerabilities	Affected Products	Suggested Mitigations
CVE-2020-6083 CVE-2020-6084 CVE-2020-6085 CVE-2020-6086 CVE-2020-6087 CVE-2020-6088	1794-AENT Flex I/O, Series B, firmware versions 4.003 and earlier	Version 2.0: Apply firmware v4.004 (download). Version 1.0: It is recommended for customers to use this module in the Cell Area/Zone (Level 1) as defined on page 16 of the System Security Design Guidelines and only accept CIP connections from trusted sources via port 44818. For successful exploitation, these vulnerabilities require Ethernet/IP packets to reach the destination device. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies Customers should consider using proper network infrastructure controls, such as firewalls, UTM devices, VPN, or other security appliances.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

Social Engineering Mitigation Strategies

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@rockwellautomation.com).

High

PN1545 | PN1545 | Modbus Vulnerability may lead to Denial-of-Service conditions in the MicroLogix 1400 Controller

Published Date:

January 28, 2021

Last Updated:

January 28, 2021

CVE IDs:

CVE-2021-22659

Products:

1766 MicroLogix 1400

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 28, 2021. Initial release.

Executive Summary

Rockwell Automation received a report from Parul Sindhwad and Dr. Faruk Kazi from COE-CNDS, Veermata Jijabai Technological Institute (VJTI), India regarding a vulnerability in the MicroLogix™ 1400 controller. If successfully exploited, this vulnerability may result in denial-of-service conditions.

This vulnerability does not impact MicroLogix 1400 controller users who have Modbus TCP disabled.

Customers using affected versions of this controller are encouraged to evaluate the following mitigations and apply them appropriately to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400, all series version 21.6 and below.

Vulnerability Details

CVE-2021-22659: Buffer Overflow may lead to Denial-of-Service Conditions
A remote, unauthenticated attacker may be able to send specially crafted Modbus packet which would allow the attacker to retrieve or modify random values in the register. If successfully exploited, this may lead to a buffer overflow resulting in a denial-of-service condition. The FAULT LED will flash RED and communications may be lost. Recovery from denial-of-service condition requires the fault to be cleared by the user.

CVSS v3.1 Base Score: 8.1/10[HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H

Risk Mitigation & User Action

Customers using the affected controller are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls (such as firewalls) to help ensure Modbus TCP from unauthorized sources are blocked.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article BF7490.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article QA17329.
Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index. .

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN794 | PN794 | RSLogix 5000 Studio 5000 Logix Designer Source Protection Vulnerability

Published Date:

January 25, 2021

Last Updated:

January 25, 2021

CVE IDs:

CVE-2014-0755

Products:

Logix Designer

CVSS Scores:

6.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 – January 25, 2021 – Advisory updated for clarification.

Revision History

Revision Number

1.0

Revision History

Version 1.0 – February 04, 2014 – Initial Release. Originally Titled “RSLogix™ 5000 Password Vulnerability”.

Executive Summary

It has come to Rockwell Automation’s attention that a vulnerability exists in RSLogix 5000^®and Studio 5000 Logix Designer^® that, when exploited, provides access to content that was secured using Source Key Protection, and in some instances, may expose the password used for that protection.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Project content applying access control with Source Key Protection using an sk.dat file in RSLogix 5000 and/or Studio 5000 product software v7 and above.

Note: This does not apply to project content protected with License Source Protection. To determine what solution is in use, refer to Logix 5000 Controllers Security, 1756-PM016O-EN-P.

Vulnerability Details

CVE-2014-0755: Insufficiently Protected Credentials
A vulnerability exists in RSLogix 5000 and Studio 5000 Logix Designer that, when exploited, may allow a local, unauthenticated attacker to access and modify project files that are password protected using Source Key Protection and, in some instances, may expose those passwords. Project files include files with the ACD, L5X, or L5K extensions. Successful exploitation will not directly disrupt the operation of Rockwell Automation programmable controllers or other devices in the control system.

CVSS v2 Base Score: 6.3
CVSS v2 Vector: AV:L/AC:M/AU:N/C:C/I:C/A:N

Risk Mitigation & User Action

Customers using the affected software versions are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed toward the risk mitigation strategies provided below and are encouraged, when possible, to combine these tactics with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details

Recommended User Actions

CVE-2014-0755

Risk Mitigation Strategy A:
For stronger protection, apply License Source Protection introduced in v26.

To apply License Source Protection to content that is protected with Source Key Protection, the Source Key Protection must be removed prior to applying License Source Protection. Once content is protected with License Source Key, it must be downloaded to the appropriate controller to mitigate the risk associated with this vulnerability. Refer to Logix
5000 Controllers Security, 1756-PM016O-EN-P (rockwellautomation.com) for more information about Source Protection

Risk Mitigation Strategy B:
In addition to using current software, we also recommend the following actions to concerned customers who continue to use Source Key Protection. Where possible:

Adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivates that contain protected content if these files may need to be found or potentially disposed of in the future.

Securely archive project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, store project files that use Source Key Protection in physical and logical locations where access can be controlled, and the files are stored in a protected and potentially encrypted manner.

Securely transmit project files that contain content password protected with Source Key Protection in a manner that prevents unauthorized access. For instance, email stored project files that use Source Key Protection only to known recipients and encrypt the files such that only the target recipient can decrypt the content.

Restrict the physical network access to controllers containing password protected content only to authorized parties to help prevent unauthorized uploading of protected material in an ACD file. Note: For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a role-based access control solution to their system. FactoryTalk Security was integrated into RSLogix 5000 v10.00 and above.

Adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain useable for an extended period or indefinitely.

IMPORTANT: Files with Source Key Protection password protected content that have been opened and updated using v20.03 software and above will no longer be compatible with earlier versions of the software. For example, a v20.01 project file with password protected content that has been opened and re-saved using v20.03 software can only be opened with v20.03 software and higher. Also, a v21.00 project file with protected content that has been opened and re-saved using v21.03 software can only be opened with v21.03 and higher versions of software.

For the procedure to update older project files to v20.03 (or later), refer to the FAQ for V20.03 at KnowledgeBase ID: IN64.

General Security Guidelines

Software/PC-based Mitigation Strategies
The following Software/PC Mitigations may be appropriate to include when the vulnerability is within a software product running on a PC:

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar allow list application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715..
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1540 | PN1540 | FactoryTalk Linx and FactoryTalk Services Platform Contain Denial-of-Service Vulnerabilities

Published Date:

January 22, 2021

Last Updated:

January 22, 2021

CVE IDs:

CVE-2020-5806, CVE-2020-5801, CVE-2020-5802, CVE-2020-5807

Products:

FactoryTalk Linx Gateway, FactoryTalk Services Platform, FactoryTalk Linx / RSLinx Enterprise

CVSS Scores:

7.5, 6.2, 4.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 3.0 - January 22, 2021. Updated and Corrected Risk Mitigation & User Actions.

Version 2.0 - January 14, 2021. Updated Risk Mitigation & User Actions.

Version 1.0 - December 27, 2020. Initial Version.

Executive Summary

Rockwell Automation received a report from Tenable regarding 4 vulnerabilities. Three of these vulnerabilities are within FactoryTalk® Linx software and the fourth is in FactoryTalk Services Platform. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Nearly all FactoryTalk software ships with a FactoryTalk Services Platform. If you are unsure if you have the FactoryTalk Services Platform installed, please see Knowledgebase ID QA5266 for additional details.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Vulnerability	Affected Products
CVE-2020-5801	FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5802	FactoryTalk Linx version 6.20 and earlier.
CVE-2020-5806	FactoryTalk Linx versions 6.10, 6.11, and 6.20.
CVE-2020-5807	FactoryTalk Services Platform version 6.20 and earlier.

Vulnerability Details

CVE-2020-5801 and CVE-2020-5802: Denial-of-Service due to Unhandled Exception
An unhandled exception vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial of service condition.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5806: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Linx. This vulnerability could allow a local, unauthenticated attacker to send a malicious packet resulting in the termination of RSLinxNG.exe causing a denial-of-service condition.

CVSS v3.1 Base Score: 6.2 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-5807: Denial-of-Service due to Buffer Overflow
A buffer overflow vulnerability exists within a .dll in FactoryTalk Services Platform. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted log file to a local user. When the malicious log file is opened by a local user, it can cause a buffer overflow in the FactoryTalk Services Platform resulting in temporary denial-of-service conditions. Users can recover from the condition by reopening the impacted software.

CVSS v3.1 Base Score: 4.3 [MEDIUM]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Risk Mitigation & User Action

Customers using the affected software are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Version 3.0: Correction

Vulnerability	Suggested Actions
CVE-2020-5801 CVE-2020-5802	Version 2.0: Apply patch found in BF26285. Version 1.0: Apply Internet Protocol Security (IPSec) to provide security services for IP network traffic. For more information on how to apply IPSec, see Knowledge Base ID QA46277 .
CVE-2020-5806	Version 3.0: Apply patch found in BF26287
CVE-2020-5807	For FactoryTalk Services Platform v6.20 see Patch Answer ID BF26157.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation^® products, see Knowledgebase Article ID BF7490.

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use Microsoft^® AppLocker or other similar allow list applications that can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted .ftd files with FactoryTalk Services Platform.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1113 | PN1113 | CVE-2020-0601 Impact to Rockwell Automation Products

Published Date:

January 20, 2021

Last Updated:

January 20, 2021

CVE IDs:

CVE-2020-0601

Products:

FactoryTalk Analytics for Devices, FactoryTalk Analytics LogixAI, 1756 ControlLogix I/O

CVSS Scores:

8.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 - January 20, 2021 - Updated Risk Mitigations and Recommended User Actions.
Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020

Executive Summary

On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.

The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.

An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.

Affected Products

Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:

CompactLogix 5480 Controllers
FactoryTalk Analytics for Devices
FactoryTalk Analytics LogixAI
ControlLogix Compute Module (1756-CMS1B1)

Vulnerability Details

CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability

Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

Microsoft Assigned CVSSv3.0 Base Score: 8.1
Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Risk Mitigation & User Action

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.

Vulnerability	Rockwell Automation Product	Suggested Actions
CVE-2020-0601	Compact Logix 5480 Controllers ControlLogix Compute Module (1756-CMS1B1)	Microsoft released a patch for affected versions of Windows on January 14, 2020. Patch via Windows Update Service or normal patching process.
CVE-2020-0601	FactoryTalk Analytics Logix AI	Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887.

Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.

Vulnerability

Rockwell Automation Product

Suggested Actions

CVE-2020-0601

FactoryTalk Analytics for Devices

To reduce risk, customers should ensure they are employing proper network segmentation and security controls.
Specifically, network exposure for all control system devices should be minimized and control systems should be
behind firewalls and isolated from other networks when possible.
Refer to the Deploying a Resilient Converged Plantwide Ethernet Architecture Design and Implementation Guide.

Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.

Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1548 | PN1548 | Allen-Bradley MicroLogix 1100 Programmable Logic Controller IPv4 Denial-of-Service Vulnerability

Published Date:

January 19, 2021

Last Updated:

January 19, 2021

CVE IDs:

CVE-2020-6111

Products:

1763 MicroLogix 1100

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 19, 2021. Iniital Release.

Executive Summary

Rockwell Automation received a report from the Cisco® Talos™ team, regarding a vulnerability in the Allen-Bradley® MicroLogix™ 1100 controller. If successfully exploited, these vulnerabilities may result in denial-of-service conditions.

Customers using affected versions of this controller are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1100, all versions.

Vulnerability Details

CVE-2020-6111: Improper Processing IPv4 Packets may result in Denial-of-Service Conditions
A vulnerability exists with the processing of ICMP packets with an invalid IPv4 length in the MicroLogix 1100. This vulnerability could allow a remote, unauthenticated attacker to send malformed packets and cause the controller to enter 8H Hard Fault. This event would lead to denial-of-service conditions. To recover from the condition, the controller must be power cycled and the project redownloaded.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS v3.1 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected controllers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

Vulnerability	Suggested Actions
CVE-2020-6111	Migrate to MicroLogix 1400 and apply firmware v21.006 or later.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware key mode setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the KnoweldgeBase.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1542 | PN1542 | Side-Channel Issue on NXP 7x Secure Authentication Microcontrollers May Lead to ECC Key Extraction

Published Date:

January 14, 2021

Last Updated:

January 14, 2021

CVE IDs:

CVE-2021-3011

Products:

5069-L330ERMS2K, 5069-L340ERMS2, PowerFlex 6000, 5069-L3100ERS2, PowerFlex 755, 5069-L3100ERMS2, 5069-L306ERMS2, 2198 Kinetix 5700 Drive, iTRAK, 5069-L350ERMS2K, 5069-L320ERMS2K, 5069-L320ERMS2, 5069-L330ERS2K, 5069-L330ERMS2, 5069-L320ERS2K, 5069-L350ERS2K, 5069 Compact GuardLogix 5380, 5069-L380ERMS2, PowerFlex 755T, 1756 ControlLogix, 5069-L350ERMS2, 5069-L380ERS2

CVSS Scores:

4.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - January 14, 2021. Initial Release.

Executive Summary

A report has been released regarding a vulnerability in the NXP 7x series microcontroller. If successfully exploited, this vulnerability may result in the extraction of a unique private key. This unique key is used to verify the authenticity of the affected Rockwell Automation^®products.

Customers using affected products are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

1756-EN2T
1756-EN4T
1756-EN4TR
ControlLogix^® 5580 Series
- 1756-L81EK, -L82EK, -L83EK, -L84EK, -L85EK
- 1756-L81EP, -L83EP, -L85EP
- 1756-L81E-NSE, 1756-L82E-NSE, 1756-L83E-NSE, 1756-L84E-NSE, 1756-L85E-NSE
- 1756-L81EXT, 1756-L82EXT, 1756-L83EXT, 1756-L84EXT, 1756-L85EXT
GuardLogix 5580 Series
- 1756-L81ES, -L82ES, -L83ES, -L84ES, -L8SP
- 1756-L81ESK, -L82ESK, -L83ESK, -L84ESK, -L8SPK
Compact GuardLogix^® 5380 Series
- 5069-L306ERMS2
- 5069-L306ERMS3
- 5069-L306ERS2
- 5069-L3100ERMS2
- 5069-L3100ERMS3
- 5069-L3100ERS2
- 5069-L310ERMS2
- 5069-L310ERMS3
- 5069-L310ERS2
- 5069-L320ERMS2
- 5069-L320ERMS2K
- 5069-L320ERMS3
- 5069-L320ERMS3K
- 5069-L320ERS2
- 5069-L320ERS2K
- 5069-L330ERMS2
- 5069-L330ERMS2K
- 5069-L330ERMS3
- 5069-L330ERMS3K
- 5069-L330ERS2
- 5069-L330ERS2K
- 5069-L340ERMS2
- 5069-L340ERMS3
- 5069-L340ERS2
- 5069-L350ERMS2
- 5069-L350ERMS2K
- 5069-L350ERMS3
- 5069-L350ERMS3K
- 5069-L350ERS2
- 5069-L350ERS2K
- 5069-L380ERMS2
- 5069-L380ERMS3
- 5069-L380ERS2
CompactLogix™ 5380 Series
- 5069-L306ER
- 5069-L306ERM
- 5069-L310ER
- 5069-L310ER-NSE
- 5069-L310ERM
- 5069-L320ER
- 5069-L320ERM
- 5069-L320ERMK
- 5069-L320ERP
- 5069-L330ER
- 5069-L330ERM
- 5069-L330ERMK
- 5069-L340ER
- 5069-L340ERM
- 5069-L340ERP
- 5069-L350ERM
- 5069-L350ERMK
- 5069-L380ERM
- 5069-L3100ERM
5069-AEN2TR
CompactLogix™5480 Series
- 5069-L4100ERMW
- 5069-L4200ERMW
- 5069-L430ERMW
- 5069-L450ERMW
- 5069-L46ERMW
iTRAK^® 5730 Small Frame
iTRAK 5750C
Kinetix^® 5700 Series B - DAI, HPI, LFI, AFE
PowerFlex^®6000T
PowerFlex 755 TL
PowerFlex 755 TM
PowerFlex 755 TR

Vulnerability Details

CVE-2021-3011: Side-Channel Leakage of Unique ECC Private Key on NXP 7X Series Chip
The NXP A700X chip contains a vulnerability that may allow an attacker to physically extract ECC private keys. Expertise and specialized equipment are required to successfully open the package, extract, and process the side-channel leakage. Successful exploit of this vulnerability may allow an attacker to obtain the unique ECC private key for that chip only. The chip will also be physically damaged. For controllers, the current use of this unique key is only used during the initial deployment of CIP Security.

CVSS v3.1 Base Score: 4.9/10[MEDIUM]
CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Risk Mitigation & User Action

Rockwell Automation encourages customers, when possible, to follow industry best practices for physical access including, but not limited to:
•           Limiting physical access to authorized personnel: control room, cells/areas, control panels, and devices.
•           Providing training and communication to personnel to raise awareness of threats.
•           Implementing physical barriers such as locked cabinets.

Please subscribe to updates to this advisory and the Industrial Security Advisory Index to stay notified.

General Security Guidelines

General Mitigations

Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

High

PN1541 | PN1541 | FactoryTalk AssetCentre affected by M and M Software fdtCONTAINER Remote Code Execution Vulnerability

Published Date:

January 11, 2021

Last Updated:

January 11, 2021

CVE IDs:

CVE-2020-12525

Products:

FactoryTalk AssetCentre

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

January 11, 2021. Initial Version.

Executive Summary

Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.

This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.

Vulnerability Details

CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.

CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Suggested Actions
CVE-2020-12525	Deny access to PDC Field Edition. To do this, follow the steps below.

To deny access to PDC Field Edition:

Open FactoryTalk Admin Console
Select “System”
Select “Policies”
Select “FactoryTalk AssetCentre”
Open “Feature Security Properties”
Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
Select the “Deny” Checkboxes for “Administrators” and “All Users”
Select “OK”
Select “Apply”

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
Block all traffic to EtherNet/IP^™ or other CIP^™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

Software/PC-based Mitigation Strategies

Do not use standalone PDC Field Edition
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use Microsoft^® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted files with FactoryTalk AssetCentre.
Do not click or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1539 | PN1539 | Vulnerabilities in the Kepware OPC UA server interface may lead to Denial-of-Service Conditions or Data Leak

Published Date:

December 17, 2020

Last Updated:

December 17, 2020

CVE IDs:

CVE-2020-27267, CVE-2020-27263

Products:

ThingWorx Industrial Connectivity, ThingWorx, Kepserver Enterprise

CVSS Scores:

7.5, 9.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - December 17, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from PTC, a strategic partner of Rockwell Automation, regarding vulnerabilities in the Kepware OPC UA server interface for KEPServer Enterprise, ThingWorx® Kepware Server, and ThingWorx Industrial Connectivity. If successfully exploited, these vulnerabilities may result in the product ceasing to function. This may cause the following impacts: a loss of ability to configure the application, a loss of data, a loss of data acquisition, or a loss communication with control system assets.

Customers using affected versions of this server are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

KEPServer Enterprise, versions 6.6.504.0; 6.9.572.0
ThingWorx Industrial Connectivity, all versions
ThingWorx Kepware Server, all versions

Vulnerability Details

CVE-2020-27263: Heap-based Buffer Overflow
The affected products are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC message could all a remote attacker to crash the server and potentially leak data.

CVSS v3.1 Base Score: 9.1 [Critical]
CVSS Vector: CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CVE-2020-27267: Use After Free
The affected products are vulnerable to a use after free vulnerability, which may allow an attacker to create and close OPC UA connections at a high rate that may cause a server to crash. Successful exploitation of this vulnerability may result in denial-of-service conditions.

CVSS v3.1 Base Score: 7.5 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these options with the general security guidelines to employ multiple strategies simultaneously.

PTC recommends that users upgrade to the most current supported version.

	Recommended User Actions
	Base Version
Affected Product	6.6	6.7	6.8	6.9
KEPServer Enterprise (Download)	Apply version 6.6.550.0	--	--	Apply version 6.9.584.0
Thingworx Kepware Server (Download)	--	--	Apply version 6.8.839.0	Apply version 8.9.584.0
Thingworx Industrial Connectivity (Download)	Apply version 8.4 (6.6.362.0)	Apply version 8.5(6.7.1068)	--	--

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1536 | PN1536 | FactoryTalk® Linx® Affected by Multiple Denial-of-Service and Heap Overflow Vulnerabilities

Published Date:

November 24, 2020

Last Updated:

November 24, 2020

CVE IDs:

CVE-2020-27251, CVE-2020-27255, CVE-2020-27253

Products:

FactoryTalk Linx Gateway

CVSS Scores:

8.6, 9.8, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - November 24, 2020. Initial Release.

Executive Summary

Rockwell Automation PSIRT received a report from Claroty, an industrial security product vendor and research company, regarding three vulnerabilities in FactoryTalk® Linx software. If successfully exploited, these vulnerabilities may result in denial-of-service conditions, controlling of the execution flow or information disclosure. If the vulnerabilities are chained together, it may be possible to achieve remote code execution.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Special thanks to Claroty for discovering this vulnerability.

Affected Products

FactoryTalk Linx v6.11 and earlier.

Vulnerability Details

CVE-2020-27251: Remote Code Execution due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious port ranges, which could result in remote code execution.

CVSS v3.1 Base Score: 9.8/10 [Critical]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-27253: Denial-of-service due to a flaw in Ingress/Egress checks routine
A flaw exists in the Ingress/Egress checks routine of FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to specifically craft a malicious packet resulting in a denial-of-service condition on the device.

CVSS v3.1 Base Score: 8.6/10 [High]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2020-27255: Information Disclosure and ASLR bypass due to Heap Overflow
A heap overflow vulnerability exists within FactoryTalk Linx. This vulnerability could allow a remote, unauthenticated attacker to send malicious set attribute requests, which could result in leaking sensitive information. This information disclosure could lead to the bypass of Address Space Layout Randomization (ASLR).

CVSS v3.1 Base Score: 5.3 /10 [Medium]
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Risk Mitigation & User Action

Customers using the affected FactoryTalk Linx are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Details	Recommended User Actions
CVE-2020-27253 CVE-2020-27251 CVE-2020-27255	For FactoryTalk Linx v6.10 and v6.11 see Patch Answer ID BF25509 Additionally, the user could move to v6.20 which is available on the PCDC

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation^® products is available at Knowledgebase Article ID QA17329.
Confirm that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN1534 | PN1534 | Stratix 5700 HTTP Session Management Weakness

Published Date:

October 30, 2020

Last Updated:

October 30, 2020

Products:

Stratix 5700 Managed Switch

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - October 30, 2020. Initial Release.

Executive Summary

Rockwell Automation’s PSIRT received a report from Amazon regarding a weakness on the Stratix 5700 switch. This weakness is a result of HTTP session management not being a feature of classic Cisco IOS. This may result in unauthenticated access to the web interface if an attacker gains access to the authenticated user’s computer after the “Logout” button has been selected. Rockwell Automation’s PSIRT has collaborated with the Cisco PSIRT to inform customers of this weakness. While this button’s function may lead the user to believe the session is being cleared, the product specifications do not advertise HTTP session management as a function. Both PSIRTs, to be transparent, see the importance of sharing this issue along with potential mitigation options.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products.

Affected Products

Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches –

All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.

Details

On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.

If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.

Risk Mitigation & User Action

As of 26-OCT-2020, the following releases incorporate the new HTTP session management code: 15.9(3)M2, 15.9(3)M2a and 15.2(7)E3. Going forward, it is the intention of Cisco for this HTTP session management feature to be implemented in all future Cisco IOS classic releases.

If HTTP session management is desired while running a release which does not support the enhancement, Cisco IOS customers are directed towards risk mitigation. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy.

Completing the following precautionary measure is recommended as a risk mitigation strategy against unauthenticated attackers.

Terminate the browser when finished – closing the tab or window is NOT enough

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

General Mitigations

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

ADDITIONAL LINKS

PN923 | PN923 | Claims of ransomware masquerading as an Allen-Bradley Update

Published Date:

October 02, 2020

Last Updated:

October 02, 2020

Products:

Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, ProcessPak, Integration Manager, SOS, dsShopLib, RSLogix 500, Arena, Foundation Server, Shop Operations, Reporting (form based), RSView32 WebServer, Database, FactoryTalk ViewPoint, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Studio 5000 View Designer, 650R Non-Display Computers, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, Operator Certification, RSLogix 5, Live Transfer, 6181 Computers, 1450R Non-Display Computers, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSLogix Emulate 5, Build Utility, Shop Operation, Foundation Client, NCR/CAR/IQA, RSView32, FactoryTalk Activation, Purge, FactoryTalk Historian SE, WSIntegrate, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, Documentation, Activities, ETL, Historical Transfer, ECO, 6180 Computers with Keypad, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, Administration, 6155 Compact Computers, Production Execution Client, Installation, 6181X Hazardous Integrated Display, Dashboard, JD Edwards, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, Knowledge Installation, Sampling Plans, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Reports (Out-of-box), PlantMetrics, API, FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, Process Designer, Reports (Custom), Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, PlantPAx, Complaint Handling, Pavilion, FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Claims of ransomware masquerading as an Allen-Bradley Update

Description

begin ignore

Version 2.0 - July 8th 2016

Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").

Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.

File Name Hash Type Hash Value

Allenbradleyupload.zip MD5 b552a95bd3eceb1770db622a08105f52

SHA-1 4dbba01786068426c032a7524e31668f2435d181

SHA-256 e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df

Allenbradleyupload.exe MD5 49067f7b3995e357c65e92d0c7d47c85

SHA-1 5f8c4246fc24d400dffef63f25a44b61932b13af

SHA-256 97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.

Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.

BACKGROUND

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.

According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".

CUSTOMER RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.

Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.

Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.

Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)

Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.

Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.

Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).

Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet

Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

end ignore

KCS Status

Released

Critical

PN1530 | PN1530 | FactoryTalk Activation Manager affected by CodeMeter Vulnerabilities

Published Date:

September 18, 2020

Last Updated:

September 18, 2020

CVE IDs:

CVE-2020-14517, CVE-2020-16233, CVE-2019-14519, CVE-2020-14519, CVE-2020-14515, CVE-2020-14509, CVE-2020-14513

Products:

FactoryTalk Activation

CVSS Scores:

7.4, 8.1, 9.4, 7.5, 10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

4.0

Revision History

Version 4.0 -- September 18, 2020. Update to reflect current mitigations. Updated links.
Version 3.0 -- September 16, 2020. Update to reflect current remediations and information from Wibu. See update below.
Version 2.1 -- September 15, 2020. Update to adjust language.
Version 2.0 -- September 14, 2020. Update regarding affected CodeMeter versions and vulnerability information.
Version 1.0 – September 08, 2020

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding vulnerabilities in Wibu-Systems’ CodeMeter. These vulnerabilities, if successfully exploited, may result in remote code execution, privilege escalation, or denial of service conditions to the products dependent on CodeMeter. CodeMeter is distributed as part of the installation for FactoryTalk Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell Automation software products.

Claroty has released documentation that outlines the vulnerabilities in detail. This information may make it easier for an adversary to compromise the host running Wibu CodeMeter. Customers using the affected versions of FactoryTalk Activation Manager and/or CodeMeter should implement the mitigations detailed below as soon as possible.

Affected Products

FactoryTalk Activation (FTA) Manager v4.05.00 and earlier running Wibu-Systems CodeMeter v7.10 or earlier.

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who use the products from the following list in their install base contain FactoryTalk Activation Manager.

Arena^®software
Emonitor^® software
FactoryTalk^® AssetCentre software
FactoryTalk^® Batch software
FactoryTalk^® EnergyMetrix^™ software
FactoryTalk^® eProcedure^® software
FactoryTalk^® Gateway software
FactoryTalk^® Historian Site Edition (SE) software
FactoryTalk^® Historian Classic software
FactoryTalk^® Information Server software
FactoryTalk^® Metrics software
FactoryTalk^®Transaction Manager software
FactoryTalk^® VantagePoint^® software
FactoryTalk^® View Machine Edition (ME) software
FactoryTalk^® View Site Edition (SE) software
FactoryTalk^® ViewPoint software
RSFieldbus™ software
RSLinx^® Classic software
RSLogix 500^® software
RSLogix 5000^® software
RSLogix™ 5 software
RSLogix^™ Emulate 5000 software
RSNetWorx^™ software
RSView^®32 software
SoftLogix^™5800 software
Studio 5000 Architect^® software
Studio 5000 Logix Designer^® software
Studio 5000 View Designer^® software
Studio 5000^® Logix Emulate^™ software

Vulnerability Details

CVE-2020-14509: Arbitrary Command Execution Due to Buffer Access with Incorrect Length Value of CodeMeter
The packet parsing mechanism of CodeMeter does not verify its length field values causing it to access memory outside the bounds of the buffer. This may allow an attacker to execute arbitrary commands by sending a specifically crafted packet. This out of bounds memory access could also lead to relevant memory corruption causing denial-of-service conditions by crashing the CodeMeter server

CVSS v3.1 Base Score: 10.0/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14517: Arbitrary Command Execution Due to the Inadequate Encryption Strength of CodeMeter
A vulnerability exists in the encryption scheme of CodeMeter, which allows a bypass of the protection mechanism, enabling the server to accept external connections without authentication. This may allow an attacker to remotely communicate with the CodeMeter API, access and modify application data.

CVSS v3.1 Base Score: 9.4/10 [CRITICAL]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H)

CVE-2019-14519: Denial-of-Service Conditions Due to the Origin Validation Errors of CodeMeter
The API of the WebSocket internals of CodeMeter does not provide authentication on its WebSocket services. This may allow an attacker to cause denial-of-service conditions by sending a specifically crafted JavaScript payload allowing alteration or creation of license files.

CVSS v3.1 Base Score: 8.1/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CVE-2020-16233: Denial-of-Service Conditions Due to the Improper Resource Release of CodeMeter
A vulnerability exists in the internal program resource management of CodeMetermanagement, which allows the disclosure of heap memory. This may allow an attacker to cause denial-of-service conditions by triggering an intentional resource leak.

CVSS v3.1 Base Score: 7.5/10 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-14513: Denial-of-Service Conditions Due to Improper Input Validation of CodeMeter
A vulnerability exists in the input validation method of CodeMeter that can affect its program control flow or data flow. This may allow an attacker to alter the control flow and cause denial-of-service conditions to CodeMeter and any product dependencies by using a specifically crafted license file.

CVSS v3.1 Base Score: 7.5 [HIGH]
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2020-14515: Denial-of-Service Condition or Data Modification due to Improper Verification of a Cryptographic Signature in CodeMeter
A vulnerability exists in the license-file signature checking mechanism, which may allow an attacker to build arbitrary license files including forging a valid license file as if it were a valid license file of an existing vendor. This may allow an attacker to modify data or could cause a denial-of-service condition to CodeMeter.

CVSS v3.1 Base Score: 7.4/10 [HIGH]
CVSS v3.1 Vector: AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H

Risk Mitigation & User Action

UPDATE (4.0)
Customers using the affected versions of FactoryTalk Activation Manager are encouraged to update to v4.05.01. This version of FactoryTalk Activation Manager contains CodeMeter 7.10a, which addresses the vulnerabilities. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.05.00 and earlier	Update to version 4.05.01 of FactoryTalk Activation Manager. Select the FactoryTalk Activation Manager download from our website. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE (3.0)
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. As of September 16, 2020, CodeMeter 7.10a is compatible with FactoryTalk Activation Manager via the Rockwell Automation Product Compatibility and Download Center (PCDC). This version of CodeMeter remediates all of the vulnerabilities noted below. Customers can update CodeMeter directly from Wibu, which is compatible with all supported versions of FTA. A bundled version of CodeMeter 7.10a and FactoryTalk Activation Manager will also release in the coming days.

Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509 CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.05.00 and earlier	Update to version 7.10a of CodeMeter found on the Rockwell Automation PCDC, which is compatible with all supported versions of FTA. This information can also be found in Compatibility & Downloads > Configured Views > Standard Views > Software Latest Versions > FactoryTalk Activation.

Previous Information Contained in Versions 1.0-2.1
Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk for CVE-2019-14519, and CVE-2020-14515. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

For CVE-2020-14517, CVE-2020-16233, and CVE-2020-14513, FTA v4.05 or later mitigates these vulnerabilities unless CodeMeter is running as a server. Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available.

Vulnerability	Currently Installed	Suggested Actions
CVE-2020-14519 CVE-2020-14515	FactoryTalk Activation Manager v4.04.00 and earlier	Update to FTA v4.05 or later and employ the general security guidelines. For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibility and Download Center Standard Views > Software Latest Versions > FactoryTalk Activation
CVE-2020-14517 CVE-2020-16233 CVE-2020-14513 CVE-2020-14509	FactoryTalk Activation Manager v4.04.00 and earlier	Update to FTA v4.05 or later and employ the general security guidelines. The default configuration of FTA v4.05 limits the vulnerable port, which mitigates these vulnerabilities. However, if CodeMeter is running a server, which can be turned on via FTA, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Utilize proper network infrastructure controls, such as firewalls, to help ensure that any traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware key switch setting, to which may be used to block unauthorized changes, etc.
Utilize the new REST API instead of the internal WebSockets API
Disable the WebSockets API

General Mitigations

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN71

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1510 | PN1510 | FactoryTalk View SE Contains Multiple Vulnerabilities Found During Pwn2Own Competition

Published Date:

August 20, 2020

Last Updated:

August 20, 2020

CVE IDs:

CVE-2020-12027, CVE-2020-12028, CVE-2020-12029, CVE-2020-12031

Products:

FactoryTalk View SE

CVSS Scores:

7.5, 9.0, 7.3, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.2

Revision History

Version 2.2 - August 20, 2020 Links to additional detections
Version 2.1 - August 18, 2020 Links to additional detections
Version 2.0 - July 23, 2020. Updated guidance given public scripts.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of flaws in the way FactoryTalk View SE handles certain sensitive information, authentication mechanisms, and bounds checking, which could lead to Remote Code Execution (RCE).

Special thanks to the following researchers who submitted these vulnerabilities through the Pwn2Own competition: The Incite Team (Steven Seeley and Chris Anastasio), Claroty Research (Sharon Brizinov and Amir Preminger), Synacktiv (Lucas Georges), Tobias Scharnowski, Niklas Brietfeld, Ali Abbasi, Pedro Ribeiro, Radek Domanski, and Fabius Artrel.

As of July 23, 2020, the researchers, along with ZDI, have released documentation and a script that makes it possible for an unskilled adversary to compromise the host running FactoryTalk View SE. Customers using the affected versions of FactoryTalk View SE should apply the patch and implement the mitigations detailed below as soon as possible.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk View SE all versions

Vulnerability Details

CVE-2020-12029: Code execution due to improper limitation of a pathname to a restricted directory
FactoryTalk View SE does not properly validate input of filenames within a project directory. A remote, unauthenticated attacker may be able to execute a crafted file on a remote endpoint that may result in remote code execution (RCE).

CVSS v3.1 Base Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10284

CVE-2020-12031: Code execution due to improper bounds checking
FactoryTalk View SE fails to bounds-check monitor configurations. After bypassing memory corruption mechanisms found in the operating system, a local, authenticated attacker may corrupt the associated memory space allowing for arbitrary code execution. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10270

CVE-2020-12028: Unauthenticated file permissions for remote endpoints
FactoryTalk View SE provides the capability to interact with remote endpoints, which are accessible by a series of handlers. A remote, authenticated attacker may be able to utilize certain handlers to interact with the data on the remote endpoint since those handlers do not enforce appropriate permissions. This attack depends on user interaction to be successful.

CVSS v3.1 Base Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10283

CVE-2020-12027: Information disclosure affecting remote endpoints
FactoryTalk View SE discloses the hostnames and file paths for certain files within the system. A remote, authenticated attacker may be able to leverage this information for reconnaissance efforts.

CVSS v3.1 Base Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10281, ZDI-CAN-10282, ZDI-CAN-10291

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk View SE are encouraged to apply the patch or deploy recommended built in security features that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Information	Recommended User Actions
CVE-2020-12029	Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch BF25481
CVE-2020-12031	Before installing this patch, the patch rollup dated 06 Apr 2020 or later MUST be applied. QA49264 - Patch Roll-up for CPR9 SRx Apply patch found in BF25482
CVE-2020-12028 CVE-2020-12027	This vulnerability is remediated by enabling built in security features found within FactoryTalk View SE. Users should follow guidance found in QA46277 and QA59546 to set up IPSec and/or HTTPS, respectively.

Note: The Cisco Talos team developed Snort rules to detect these vulnerabilities (sid:54670-54675).

Additionally, Claroty has provided the following detections:
Rule Name: FactoryTalk View SE Directory Traversal CVE-2020-12027
Detection Identifier: 1000000055

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted filed.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

Low

PN1509 | PN1509 | Studio 5000 Logix Designer XML External Entity (XXE) Vulnerability Found During Pwn2Own Competition

Published Date:

August 11, 2020

Last Updated:

August 11, 2020

CVE IDs:

CVE-2020-12025

Products:

Logix Designer

CVSS Scores:

3.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Revision History

Version 1.1 - August 11, 2020. Updated Recommended User Actions
Version 1.0 - July 8, 2020. Initial Version.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of an XML External Entity (XXE) flaw in the way the Studio 5000 Logix Designer^® software parses AML and RDF files. An attacker may utilize this vulnerability to parse a malicious file, which could result in information disclosure.

Special thanks to The Incite Team for reporting this vulnerability through Pwn2Own. This vulnerability was independently co-discovered by researchers at Claroty after the competition.

Affected Products

Logix Designer Studio 5000 versions 32.00, 32.01, and 32.02.

Vulnerability Details

CVE-2020-12025: XXE Vulnerability Could Lead to Unauthorized Information Disclosure
Logix Designer Studio 5000 utilizes a third-party XML parser, which natively accepts AML and RDF files from any external entity. If successfully exploited, an unauthenticated attacker may be able to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.

Other versions of Studio 5000 Logix Designer do not support this parser and therefore, are not affected by this vulnerability. Versions 32.00, 32.01, and 32.02 contains the vulnerable code; however, this vulnerability is considered LOW severity since the exploit relies on user interaction and the limited data that would be provided to the attacker.

CVSSv3 Base Score: 3.6 (LOW)
CVSSv3 Vector String: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
ZDI Tracking: ZDI-CAN-10290

Risk Mitigation & User Action

Customers using the affected versions of Studio 5000 Logix Designer are encouraged to update to Studio 5000 Logix Designer version v32.03.

Vulnerability Information	Recommended User Actions
CVE-2020-12025	Update to v32.03 of Logix Designer Studio 5000 Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.

General Security Guidelines

Social Engineering Mitigation Strategies

Rockwell Automation customers using AML or RDF files should not accept files from unknown sources and remain cautious of social engineering attempts that may take advantage of this vulnerability.

Do not open untrusted AML or RDF files within Studio 5000 Logix Designer.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1025 | PN1025 | CompactLogix / Compact GuardLogix 5370 Denial of Service

Published Date:

August 10, 2020

Last Updated:

August 10, 2020

CVE IDs:

CVE-2017-9312

Products:

Armor Compact Logix, Compact GaurdLogix 5370, CompactLogix 5370

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.3

Revision History

Version 1.3 / August 10, 2020 - Updated affected products and suggested actions.
Version 1.2 / May 18, 2020 - Updated release product and corrected product version information.
Version 1.1 / July 12, 2018 - Updated product version informtion.
Version 1.0 / June 21, 2019 - Initial Release

Overview

A vulnerability exists in certain CompactLogix™ 5370 and Compact GuardLogix® 5370 programmable automation controllers that, if successfully exploited, may cause a Denial of Service (DoS) condition. These products are used to control processes across several industries, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation® has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Specific details of this vulnerability were disclosed publicly by researchers presenting at the ICS Cyber Security Conference in Singapore on April 25, 2018. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CompactLogix 5370 L1 controllers, versions 30.014 and earlier, excluding version 28.015
CompactLogix 5370 L2 controllers, versions 30.014 and earlier, excluding version 28.015
CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
Armor CompactLogix 5370 L3 controllers, versions 30.014 and earlier, excluding version 28.015
Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015
Armor Compact GuardLogix 5370 controllers, versions 30.014 and earlier, excluding version 28.015

Vulnerability Details

This vulnerability may allow threat actor to intentionally send a specific TCP packet to the product and cause a Major Non-Recoverable Fault (MNRF) resulting in a Denial of Service (DoS) condition. An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation.

Alexey Perepechko of Applied Risk discovered this vulnerability in the 1769 Compact GuardLogix 5370 controllers. Rockwell Automation further investigated and discovered additional products affected by this vulnerability and they are included in this advisory.

This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

COMPACT GUARDLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a Compact GuardLogix controller, the safety task execution stops and CIP Safety I/O modules are placed into their safe state. All other I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

COMPACTLOGIX ADDITIONAL DETAILS
If a Major Non-Recoverable Fault (MNRF) occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example, Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into an MNRF state, which is considered safe. Recovery requires that you download the application program again.

CVE-2017-9312 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System (CVSS) v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Type	Product Family	Catalog Numbers	Suggested Actions
Small Controllers	CompactLogix 5370 L1 CompactLogix 5370 L2 CompactLogix 5370 L3 Armor CompactLogix 5370 L3	1769-L16ER-BB1B 1769-L18ER-BB1B 1769-L18ERM-BB1B 1769-L19ER-BB1B 1769-L24ER-QB1B 1769-L24ER-QBFC1B 1769-L27ER-QBFC1B 1769-L30ER 1769-L30ER-NSE 1769-L30ERM 1769-L33ER 1769-L33ERM 1769-L36ERM 1769-L37ERMO	Apply FRN 28.015 or apply 31.011 or later.
Safety Controllers	Compact GuardLogix 5370 Armor Compact GuardLogix 5370 L3	1769-L30ERMS 1769-L33ERMS 1769-L36ERMS 1769-L37ERMS 1769-L38ERMS 1769-L33ERMOS 1769-L36ERMOS	Apply FRN 28.015 or apply 31.011 or later.

Note: For 1769-L33ERMOS and 1769-L36ERMOS, apply firmware for 1769-L33ERMS and 1769-L36ERMS respectively.

General Security Guidelines

Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

File

v1.1_KB1073708 CompactLogix Denial of Service Vulnerability.pdf

Critical

PN1525 | PN1525 | FactoryTalk Services Platform Improper User Password Hashing

Published Date:

July 30, 2020

Last Updated:

July 30, 2020

CVE IDs:

CVE-2020-14516

Products:

FactoryTalk Services Platform

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - July 30, 2020. Initial Release.

Executive Summary

A vulnerability exists in FactoryTalk^® Services Platform that prevents user passwords from being hashed properly. This vulnerability, if successfully exploited, may allow attackers to access and modify configuration and application data. This vulnerability only impacts native FactoryTalk Security users, not Windows^® linked users.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.10.00 and 6.11.00.

Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see Knowledgebase QA5266 for additional details.

Vulnerability Details

CVE-2020-14516: Improper Implementation of Hashing Algorithm for User Passwords
There is an issue with the implementation of the SHA-256 hashing algorithm with FactoryTalk Services Platform 6.10 and 6.11 that prevents the user password from being hashed properly. A successful exploit could allow a remote, unauthenticated attacker to create new users in the FactoryTalk Services Platform administration console and this new user would allow the attacker to modify or delete configuration and application data in other FactoryTalk software connected to FactoryTalk Services Platform.

CVSS v3.0 Base Score: 10.0/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Suggested Actions
FactoryTalk Services Platform	Follow the guidance provided in Knowledgebase Article ID: BF10207 in order to patch (link).

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privileged user principle is followed, and the user/service account access to shared resources (such as a database) is only granted with the minimum number of rights as needed.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1515 | PN1515 | FactoryTalk View SE Credential Disclosure Vulnerabilities

Published Date:

June 25, 2020

Last Updated:

June 25, 2020

CVE IDs:

CVE-2020-14480, CVE-2020-14481

Products:

FactoryTalk View SE

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Ilya Karpov and Evgeny Druzhinin who are part of the independent research team, ScadaX Security. They reported two vulnerabilities in FactoryTalk^® View Site Edition (SE) software, which if successfully exploited, may result in the disclosure of Windows^® Logon credentials (via the DeskLock software) or FactoryTalk View SE user credentials.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

CVE-2020-14480: FactoryTalk View SE versions 9.0 and earlier.
CVE-2020-14481: FactoryTalk View SE version 10.0.

Vulnerability Details

CVE-2020-14480: Cleartext Storage of Sensitive Information in Memory

A local, authenticated attacker may have access to certain credentials, including Windows Logon credentials, as a result of usernames/passwords being stored in plaintext in Random Access Memory (RAM).

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE-2020-14481: Use of a Weak Algorithm for Password Protection

The DeskLock tool provided with FactoryTalk View SE uses a weak encryption algorithm that may allow a local, authenticated attacker to decipher user credentials, including the Windows user or Windows DeskLock passwords. If the compromised user has an administrative account, an attacker could gain full access to the user’s operating system and certain components of FactoryTalk View SE.

CVSS v3.1 Base Score: 8.8/HIGH

CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of DeskLock provided with FactoryTalk View SE are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalog Numbers	CVE #	Suggested Actions
FactoryTalk View SE	9701-VWSx	CVE-2020-14480	Download v10.0 or later.
FactoryTalk View SE	9701-VWSx	CVE-2020-14481	Download v11.0 or later.

General Security Guidelines

GENERAL SECURITY GUIDELINES

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1516 | PN1516 | FactoryTalk Services Platform XXE Vulnerability

Published Date:

June 25, 2020

Last Updated:

June 25, 2020

CVE IDs:

CVE-2020-14478

Products:

FactoryTalk Services Platform

CVSS Scores:

8.4

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 25, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from researchers at Applied Risk regarding a vulnerability in versions of FactoryTalk^® Services Platform which if successfully exploited, could lead to a denial-of-service (DoS) condition and to the arbitrary reading of any local file via system-level services.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform, versions 6.11.00 and earlier.

Nearly all FactoryTalk^® software ships with FactoryTalk Services Platform. If you are unsure if you have FactoryTalk Services Platform installed, please see QA5266 for additional details.

Vulnerability Details

CVE-2020-14478: Weakly Configured XML Parser
A local, authenticated attacker could use an XML External Entity (XXE) attack to exploit weakly configured XML parser to access local or remote content. A successful exploit could potentially cause a denial-of-service (DoS) condition and allow the attacker to arbitrarily read any local file via system-level services. The details of this file could then be forwarded to the attacker.

CVSS v3.0 Base Score: 8.4/HIGH

CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these measures with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Suggested Actions
FactoryTalk Services Platform	Download patch for 6.11 (Download)

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329 .
Ensure that the least-privileged user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index..

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1507 | PN1507 | FactoryTalk Linx Affected by Multiple Vulnerabilities

Published Date:

June 24, 2020

Last Updated:

June 24, 2020

CVE IDs:

CVE-2020-11999, CVE-2020-12005, CVE-2020-12003, CVE-2020-12001

Products:

FactoryTalk Linx Gateway

CVSS Scores:

7.5, 9.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Revision History

Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 11, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities due to exposed system internals’ in FactoryTalk^®Linxvsoftware. These vulnerabilities, if successfully exploited, may result in arbitrary code execution, information exposure, or denial-of-service conditions.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

FactoryTalk Linx software versions 6.00, 6.10, and 6.11

The following products utilize FactoryTalk Linx:

Connected Components Workbench™ software v12 and earlier
ControlFLASH Plus™ software v1 and later
ControlFLASH™ software v14 and later
FactoryTalk Asset Centre software v9 and later
FactoryTalk Linx CommDTM software v1 and later
Studio 5000^®Launcher software v31 and later
Studio 5000 Logix Designer^® software v32 and earlier

Vulnerability Details

CVE-2020-11999: Arbitrary code execution due to API abuse
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to specify a filename to execute unauthorized code and modify files or data.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12001: Arbitrary code execution due to path traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system, modify sensitive data, or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVE-2020-12003: Information disclosure due to path traversal
An exposed API call allows users to provide files to be processed without sanitation. This may allow an attacker to use specially crafted requests to traverse the file system and expose sensitive data on the local hard drive.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2020-12005: Denial-of-service conditions due to unrestricted upload of certain file types
A vulnerability exists in the communication function that enables users to upload EDS files by FactoryTalk Linx. This may allow an attacker to upload a rogue EDS.gz file with “bad compression”, consuming all the available CPU resources leading to denial-of-service (DoS) conditions.

CVSS v3.1 Base Score: 7.5/10[HIGH]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE	Products Affected	Mitigation
CVE-2020-11999 CVE-2020-12001 CVE-2020-12003 CVE-2020-12005	Connected Components Workbench v12 and earlier ControlFLASH Plus v1 and later ControlFLASH v14 and later FactoryTalk Asset Centre v9 and later FactoryTalk Linx CommDTM v1 and later FactoryTalk Linx software(Previously called RSLinx Enterprise) versions 6.00, 6.10, and 6.11 Studio 5000 Launcher v31 and later Studio 5000 Logix Designer v32 and earlier	Customers are encouraged to apply these patches by following instructions in Knowledgebase articles below: Patch Roll-up fo CPR9. Knowledgebase Article ID: QA49264 FactoryTalk Knowledge Linx/Services patch. Knowledgebase Article ID: BF24810 FactoryTalk Linx patch. Knoweldgebase Article ID: BF25509

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Block all traffic to EtherNet/IP™ devices or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Ports 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID BF7490.

General Mitigations

Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

PN1354 - Industrial Security Advisory Index
Industrial Firewalls within a CPwE Architecture
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

Critical

PN1511 | PN1511 | FactoryTalk Linx Path Traversal Vulnerability Found During Pwn2Own Competition

Published Date:

June 24, 2020

Last Updated:

June 24, 2020

CVE IDs:

CVE-2020-12001

Products:

FactoryTalk Linx Gateway

CVSS Scores:

9.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.1

Revision History

Version 1.1 - June 24, 2020. Corrected affected products.
Version 1.0 - June 18, 2020. Initial Release.

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, researchers disclosed an open, unauthenticated port which can allow for a directory traversal. This vulnerability was previously disclosed by Rockwell Automation on June 11, 2020.

Special thanks to researchers at Claroty for submitting this issue through Pwn2Own.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk® Linx software (previously called RSLinx® Enterprise) versions 6.00, 6.10, and 6.11

The following products utilize FactoryTalk Linx:

Connected Components Workbench v12 and earlier
ControlFLASH™ Plus v1 and later
ControlFLASH™ v14 and later
FactoryTalk^®Asset Centre v9 and later
FactoryTalk^®Linx CommDTM v1 and later
Studio 5000^®Launcher v31 and later
Studio 5000 Logix Designer^® v32 and earlier

Vulnerability Details

CVE-2020-12001: Arbitrary code execution due to directory traversal
The parsing mechanism that processes certain file types does not provide input sanitation. This may allow an attacker to use specially crafted files to traverse the file system and modify sensitive data or execute arbitrary code.

CVSS v3.1 Base Score: 9.6/10[CRITICAL]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ZDI Tracking: ZDI-CAN-10292, ZDI-CAN-10298

Risk Mitigation & User Action

Customers using the affected products are encouraged to apply the patch that addresses the associated risk. Customers who are unable to patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Vulnerability Information	Recommended User Actions
CVE-2020-12001	Customers are encouraged to apply these patches by following instructions in Rockwell Automation Knowledgebase articles below: Patch Roll-up for CPR9 SRx FactoryTalk Linx/Services patch BF24810 FactoryTalk Linx patch BF25509

General Security Guidelines

Software/PC-based Mitigation Strategies

Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted files.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1512 | PN1512 | FactoryTalk Services Platform Vulnerable to Arbitrary COM Instantiation During Pwn2Own Competition

Published Date:

June 18, 2020

Last Updated:

June 18, 2020

CVE IDs:

CVE-2020-12033

Products:

FactoryTalk Services Platform

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 18, 2020. Initial Version

Executive Summary

Between January 21-23, 2020, Rockwell Automation participated in the Pwn2Own competition hosted by Trend Micro’s Zero Day Initiative (ZDI). This was ZDI’s first ever Industrial Control Systems (ICS) competition, which was held at the S4 Security conference in Miami, Florida. This competition invites researchers to demonstrate vulnerability exploitation on certain products, and responsibly disclose this information to participating vendors.

During the competition, Rockwell Automation was made aware of a service, which can instantiate a COM object on the affected machine.

Special thanks to researchers at Claroty for submitting this vulnerability through the Pwn2Own competition.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Services Platform - All versions

Vulnerability Details

CVE-2020-12033: Arbitrary COM object instantiation due to lack of data validation

FactoryTalk Services Platform redundancy host service (RdcyHost.exe) does not validate supplied identifiers, which could allow an unauthenticated, adjacent attacker to execute remote COM objects with elevated privileges.

CVSS v3.1 Base Score: 7.5/HIGH
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ZDI Tracking: ZDI-CAN-10299

Risk Mitigation & User Action

Customers are encouraged to use Rockwell Automation Knowledgebase article QA5266 to determine if FactoryTalk Services Platform is installed. Those using the affected software are directed towards risk mitigation by enabling built-in security features found within FactoryTalk Services platform. They are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense in depth strategy. Please subscribe to updates to this advisory and the Industrial Security Advisory Index technote to stay notified.

Vulnerability Information	Recommended User Actions
CVE-2020-12033	This vulnerability is mitigated by implementing a secure communication strategy following the guidance outlined in Rockwell Automation Knowledge article QA46277.

General Security Guidelines

Software/PC-based Mitigation Strategies

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Social Engineering Mitigation Strategies

Do not open untrusted filed.
Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: PN1354 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd(kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1084 | PN1084 | Multiple Vulnerabilities in Arena Simulation Software

Published Date:

June 08, 2020

Last Updated:

June 08, 2020

CVE IDs:

CVE-2019-13527, CVE-2019-13510, CVE-2019-13519, CVE-2019-13511, CVE-2019-13521

Products:

Arena

CVSS Scores:

7.8, 8.6, 3.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - August, 1 2019. Initial Release

Revision History

Revision Number

1.1

Revision History

Version 1.1 - September 19, 2019. Updated Vulnerability Reports.

Revision History

Revision Number

1.2

Revision History

Version 1.2 - June 8, 2020. Updated Vulnerability Reports.

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.

Successful exploitation of these vulnerabilities relies on a social engineering attack.

Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

Affected Products

Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.

Vulnerability Details

CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

CVE ID	ZDI Report ID
CVE-2019-13510	ZDI-CAN-8012 ZDI-CAN-8013 ZDI-CAN-8015 ZDI-CAN-8016 ZDI-CAN-8017 ZDI-CAN-8060 ZDI-CAN-8062 ZDI-CAN-8096 ZDI-CAN-8174 ZDI-CAN-8600 ZDI-CAN-8623 ZDI-CAN-8624 ZDI-CAN-8683 ZDI-CAN-10129 ZDI-CAN-10186 ZDI-CAN-10373 ZDI-CAN-10374 ZDI-CAN-10470 ZDI-CAN-10554 ZDI-CAN-10555 ZDI-CAN-10556 ZDI-CAN-10557 ZDI-CAN-10559

CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.

CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.

CVE ID	ZDI Report ID
CVE-2019-13511	ZDI-CAN-8014

CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13519	ZDI-CAN-8175

CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13521	ZDI-CAN-8134

CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13527	ZDI-CAN-8682

Risk Mitigation & User Action

Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).
Do not open untrusted .doe files with Arena® Simulation Software.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

General Security Guidelines

High

PN1503 | PN1503 | EDS Subsystem Affected by Multiple Vulnerabilities

Published Date:

May 19, 2020

Last Updated:

May 19, 2020

CVE IDs:

CVE-2020-12038, CVE-2020-12034

Products:

Software, Logix Designer, RSNetWorx, FactoryTalk Linx Gateway, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, RSLogix 5000 / Studio 5000 Logix Designer

CVSS Scores:

8.2, 6.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - May 19, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from Claroty, an industrial security product vendor and research company, regarding multiple vulnerabilities in the parsing and storing of Electronic Datasheet (EDS) files in Rockwell Automation® software products. These vulnerabilities, if successfully exploited, may result in code injection and denial-of-service conditions

EDS files are text files that allow product-specific information to be made available to third-party vendors by Rockwell Automation. These files define a device's configurable parameters and the public interfaces to those parameters for identification and commissioning.

Rockwell Automation has provided software updates containing the remediation to these vulnerabilities. Customers using the affected versions of these products are encouraged to evaluate the mitigations provided below and apply them appropriately.

Affected Products

FactoryTalk® Linx software(Previously called RSLinx® Enterprise) versions 6.00, 6.10,and 6.11
RSLinx® Classic v4.11.00 and earlier
RSNetWorx™ software v28.00.00 and earlier
Studio 5000 Logix Designer® software v32 and earlier

Vulnerability Details

CVE-2020-12034: SQL injection due to improper input sanitization
The EDS subsystem does not provide adequate input sanitization, which may allow an attacker to craft specialized EDS files to inject SQL queries and manipulate the database storing the EDS files. This may lead to denial-of-service (DoS) conditions or allow an attacker to manipulate the SQL engine to write or modify files on the system. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 8.2/10[HIGH]
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H

CVE-2020-12038: Denial-of-service conditions due to memory corruption in parsing/storage of EDS files
A memory corruption vulnerability exists in the algorithm that matches square brackets in the EDS subsystem. This may allow an attacker to craft specialized EDS files to crash the EDSParser COM object leading to denial-of-service (DoS) conditions. This affects the EDS subsystem v27 and earlier.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:H

Risk Mitigation & User Action

Customers using the affected products are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

CVE	Products Affected	Mitigation
CVE-2020-12034 CVE-2020-12038	FactoryTalk^® Linx software(Previously called RSLinx^® Enterprise) versions 6.00, 6.10,and 6.11 RSLinx® Classic v4.11.00 and earlier RSNetWorx™ software v28.00.00 and earlier Studio 5000 Logix Designer^® software v32 and earlier	Apply patch by following the instructions in knowledgebase article RAid 1125928.

General Security Guidelines

Network-based Vulnerability Mitigations for Embedded Products

Block all traffic to EtherNet/IP™ or other CIP™protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP Port#s 2222, 7153 and UDP Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

General Mitigations

Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

High

PN1502 | PN1502 | OSIsoft PI System Vulnerabilities Affect Multiple Rockwell Automation Software Products

Published Date:

May 12, 2020

Last Updated:

May 12, 2020

CVE IDs:

CVE-2020-10608, CVE-2020-10606, CVE-2020-10645, CVE-2020-10600, CVE-2020-10610

Products:

FactoryTalk VantagePoint, FactoryTalk View SE, FactoryTalk Historian SE, PlantPAx, ThingWorx Connection Server

CVSS Scores:

7.8, 8.0, 5.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

2.0

Revision History

Version 2.0 - October, 13, 2020. Updated risk mitigations and recommended user actions.
Version 1.0 - May 12, 2020. Initial Release.

Executive Summary

OSIsoft reported five vulnerabilities in PI System, a real-time data collection and visualization software, to Rockwell Automation. PI System software is used in multiple Rockwell Automation® software products. These vulnerabilities if successfully exploited, may result in privilege escalation, information disclosure or a denial-of-service condition.

Not every PI System vulnerability applies to each impacted product. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding PI System vulnerability.

Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.

Affected Products

Product	CVE-2020-10610	CVE-2020-10608	CVE-2020-10606	CVE-2020-10600	CVE-2020-10645
FactoryTalk® View SE software version 11.00.00 and earlier	X	X	X
FactoryTalk^® VantagePoint^® software version 8.10.00 and earlier	X	X	X
FactoryTalk Historian - ThingWorx Connector software version 3.00.00	X	X	X
FactoryTalk Historian SE software version 6.00.00 and earlier	X	X	X	X
PlantPAx^® DCS software (including Virtual Templates) version 4.60.00 and earlier	X	X	X
FactoryTalk ProcessBook software version 3.60.00 and earlier	X	X	X		X
FactoryTalk Datalink software version 5.30.00 and earlier	X	X	X
FactoryTalk Historian SE to Historian SE (SE2SE) Interface software version 3.08.07 and earlier	X	X	X
FactoryTalk Historian SE Interface for Universal File Loader software version 3.01.02 and earlier	X	X	X
FactoryTalk Historian SE Interface for ODBC (RDBMS) software version 3.20.06 and earlier	X	X	X
FactoryTalk Historian Batch Interface software version 1.00.20 and earlier	X	X	X
FactoryTalk Historian Event Frames Generator (PE EFGen) software version 4.00.25 and earlier	X	X	X
FactoryTalk Historian SE Advance Server software version 6.00.00 and earlier	X	X	X
FactoryTalk Historian SE third-party OLEDB Connectivity software version 4.00.00 and earlier	X	X	X
FactoryTalk Historian SE third-party OPC Connectivity software version 4.00.00 and earlier	X	X	X

Vulnerability Details

OSISoft provided the vulnerability details in their security advisory.

CVE-2020-10610: Local Privilege Escalation via Uncontrolled Search Path Element
A local attacker can modify a search path and plant a binary to exploit the affected PI System software and take control of the local computer at system level privileges, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.c

CVE-2020-10608: Local Privilege Escalation via Improper Verification of Cryptographic Signature
A local attacker can plant a binary and bypass a code integrity check for loading PI System libraries. Exploitation can target another local user of the software to escalate privilege, resulting in unauthorized information disclosure, deletion or modification.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10606: Local Privilege Escalation via Incorrect Default Permissions
A local attacker can exploit incorrect permissions set by affected PI System software. Exploitation can result in unauthorized disclosure, deletion, or modification if the local computer also processes PI System data from other users such as a shared workstation or terminal server deployment.

CVSS v3 Base Score: 7.8/10 (HIGH)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-10600: Null Pointer Dereference may cause Denial-conditions
A remote, authenticated attacker could crash PI Archive Subsystem when the subsystem is working under memory pressure. This can result in blocking queries to PI Data Archive and may cause denial-of-service conditions.

CVSS v3 Base Score: 5.9/10 (MEDIUM)
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H.

CVE-2020-10645: Use of Out-of-range Pointer Offset may lead to Remote Code Execution
A remote, authenticated attacker could embed malicious content in the display file of the impacted software product. When opened by an affected version, the attacker could read, write and execute code on the computer with the impacted software in the context of the current user.

CVSS v3 Base Score: 8.0/10 (HIGH)*
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

* Note: OSIsoft calculated the Temporal CVSS metrics for this vulnerability, which brings the score to a 6.4/10 (MEDIUM)

Risk Mitigation & User Action

Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates and user guidance as these fixes become available. Please subscribe to security updates to this advisory and the Industrial Security Index (Knowledgebase PN1354) to stay notified.

Customers currently using any of the affected software are encouraged to take the following actions:

v2.0 - Update:

Product	CVE Identifiers	Suggested Action
FactoryTalk® View SE software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v12.00.00 or later.
FactoryTalk Historian SE	CVE-2020-10600 CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v7.00.00 or later.
PlantPAx® DCS software (including Virtual Templates)	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v5.00 or later.
FactoryTalk ProcessBook software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610 CVE-2020-10645	Download v3.70.01 or later.
FactoryTalk Datalink software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v5.50.02 or later.
FactoryTalk Historian SE Interface for Universal File Loader software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v3.60.07 or later.
FactoryTalk Historian SE Interface for ODBC (RDBMS) software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v3.24.05 or later.
FactoryTalk Historian Event Frames Generator (PE EFGen) software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v4.00.40 or later.
FactoryTalk Historian SE Advance Server software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v7.00.00 or later.
FactoryTalk Historian SE third-party OLEDB Connectivity software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v7.00.00 or later.
FactoryTalk Historian SE third-party OPC Connectivity software	CVE-2020-10606 CVE-2020-10608 CVE-2020-10610	Download v7.00.00 or later.

v1.0 - Initial Release:
Customers currently using any of the affected software that is not listed in the table above are encouraged to take the following actions:

Vulnerability Identifier	Suggested Actions
CVE-2020-10610	Work with your IT administrator to manage permissions on HKLMSoftwarePISystem and HKLMSoftwareWOW6432NodePISystem registry keys to block a high impact exploit path. Monitor the above keys and the following folder: ProgramDataPISystem for any unauthorized changes See Knowledgebase ID QA59280 for details on setting registry permissions. See Knowledgebase ID QA59281 for details on monitoring the registry.
CVE-2020-10608	Restrict network connections from PI client workstations to trusted AF servers (TCP port 5457)
CVE-2020-10606	Evaluate and disable unused PI Buffering services from PI client workstations (PI Buffer Subsystem, PI Buffer Server) By default, buffering is not configured. If buffering is configured, the preferred method of authentication is to use Windows Authentication for the connection from the Buffer to the Historian. See Knowledgebase ID QA59282 to check whether PI Buffering is enabled.
CVE-2020-10600	Limit console and remote desktop logon access to authorized administrators for normally unattended PI System servers and interface nodes.
CVE-2020-10645	Delete lfmngu.dll from %PIHOME%Procbook directory (typically C:Program Files (x86)Rockwell SoftwareFactoryTalk HistorianPIPCProcbook or C:Program Files (x86)PIPCProcbook). The third-party library is not needed for supported PI ProcessBook features. See Knowledgebase Document ID QA56969 for other possible default installation paths.

General Security Guidelines

Run all software as user, not as an administrator, to minimize the impact of malicious code on the infected system.
(CVE-2020-10610 & CVE-2020-10608) Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links

Critical

PN1500 | PN1500 | FactoryTalk Activation Affected by Sentinel LDK Vulnerabilities

Published Date:

April 23, 2020

Last Updated:

April 23, 2020

CVE IDs:

CVE-2017-12819, CVE-2019-8282, CVE-2017-11497, CVE-2017-11496, CVE-2017-12818, CVE-2017-11498, CVE-2017-12821, CVE-2017-12822, CVE-2019-8283, CVE-2017-12820

Products:

FactoryTalk Activation

CVSS Scores:

7.5, 9.9, 9.8, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 / April 23, 2020 - Initial Release

Executive Summary

Kaspersky, a cybersecurity company, alerted Rockwell Automation of ten vulnerabilities in the hasplms service that is part of Gemalto’s HASP SRM, Sentinel HASP, and Sentinel LDK products. FactoryTalk® Activation provides the user a way to install the Sentinal LDK Runtime Environment. The Sentinal LDK Runtime Environment allows the installation of the necessary drivers to use Flexera dongles. Customers who are not using Flexera dongles to store activations would not be impacted by these vulnerabilitites.

These vulnerabilities are remotely exploitable and may allow threat actors to cause a denial-of-service (DoS) condition or execute arbitrary code if successfully exploited.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

FactoryTalk Activation Manager v4.03.11 and below

Includes Sentinal LDK Runtime Environment v7.50

Vulnerability Details

CVE-2017-12822: Remote Code Execution (RCE) via Admin Interface
A remote, unauthenticated attacker may enable and disable the admin interface in the Sentinel LDK Runtime Environment. Attacker may cause remote code execution.

CVSS v3.0 Base Score: 9.9/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

CVE-2017-11496: Arbitrary Code Execution via Malformed ASN.1 Streams
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via malformed ASN.1 streams in V2C and similar input files.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11497: Arbitrary Code Execution via Language Packs with Filenames Longer than 1024 Characters
A stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) may allow a remote, unauthenticated attacker to execute arbitrary code via language packs containing filenames longer than 1024 characters.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12819: NTLM-Relay Attack via Remote Manipulations with Language Pack Updater
Manipulations with language pack updater may allow a remote, unauthenticated attacker to perform a NTLM-relay (NT Lan Manager) attack for system users. Successful exploitation of this vulnerability may cause a NTLM-hash capture that could lead to unknown impacts.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-12821: Remote Code Execution via Memory Corruption
An XML payload with more than the supported number of elements leads to a buffer overflow of a variable in stack. Successful exploitation may allow a remote, unauthenticated attacker to cause denial-of-service (DoS) conditions or remote code execution.

CVSS v3.0 Base Score: 9.8/CRITICAL
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-11498: Denial of Service (DoS) via Language Pack (ZIP file) with Invalid HTML Files
Language packs (ZIP files) with invalid HTML files lead to null pointer dereferences, which could be exploited by malicious HTML files. Successful exploitation may allow a remote attacker, unauthenticated attacker to cause denial of service (DoS) conditions.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

CVE-2017-12818: Denial of Service (DoS) via Stack Overflow in Custom XML-Parser
A stack overflow in custom XML-parser in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2017-12820: Denial of Service (DoS) via Arbitrary Memory Read from Controlled Memory Pointer
An arbitrary memory read from controlled memory pointer in Sentinel LDK may allow a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition.

CVSS v3.0 Base Score: 7.5/HIGH
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2019-8282: Man-in-the-Middle (MITM) Attack via Cleartext HTTP Communications
Gemalto ACC (Admin Control Center) uses cleartext HTTP to obtain language packs. A skilled remote attacker may be able to perform a Man-in-the-Middle (MITM) attack and replace the original language pack with a malicious one. User interaction is required in order for attackers to successfully exploit this vulnerability.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N.

CVE-2019-8283: Hasplm cookie does not have a HTTPOnly Attribute
The Hasplm cookie in Gematlo ACC (Admin Control Center) does not have HTTPOnly flag. This may allow a remote attacker to use a malicious javascript to steal the cookie. User interaction is required.

CVSS v3.0 Base Score: 5.3/MEDIUM
CVSS v3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

Risk Mitigation & User Action

Customers using the affected versions of FactoryTalk Activation are encouraged to update to FactoryTalk Activation version 4.04.00 or greater. This version addresses the associated risk and uses a version of Sentinel LDK Runtime Environment with no known vulnerabilities associated with it at time of publication.

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, refer to Knowledgebase Article ID 898270.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft® AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1498 | PN1498 | Current Program Updater Vulnerable to Privilege Escalation

Published Date:

April 09, 2020

Last Updated:

April 09, 2020

CVE IDs:

CVE-2017-5176

Products:

Current Program Updater v1.1.0.7

CVSS Scores:

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, regarding a file permission vulnerability affecting several Dynamic Link Library (DLL) files added during installation of the Current Program Updater software. If successfully exploited, this vulnerability may allow a local attacker to escalate privileges on the targeted PC to gain system administrative control.

Current Program Updater is installed with the Product Selection Toolbox™ suite along with other toolkits. For a full list, please see the affected products below.

Affected Products

Current Program Updater v1.1.0.7 and earlier.

The following tools use the affected version of Current Program Updater:

Batch Accelerator Toolkit v1.0.0.0
CENTERLINE® 2500 Global Production v1.0.4.0 and earlier
CENTERLINE Builder v3.19.0829.02
Computer Numerical Control (CNC) Accelerator Toolkit v0.0.0.0
Connected Components Accelerator Tool Kit v1.1.0.0 to v3.4.0.0
Connected Components Workbench™ software (CCW) v11 and earlier
Drives & Motions Accelerator Toolkit v1.0.0.0
Energy Management Accelerator Toolkit v3.0.0.0 and earlier
PowerOne v1.51.55 and earlier
Product Selection Toolbox Suite:
- CrossWorks™ v4.3.0.11 and earlier
- Integrated Architecture® Builder v9.7.9.1 and earlier
- MCSStar v5.1.0.7
- ProposalWorks™ v10.0.7185.14602 and earlier
- Product Selection Toolbox Installer v.18.09.x and earlier
- Prosafe® Builder v1.1.0.0 and earlier
- Safety Automation Builder® v3.1.0.2 and earlier
- User-Defined Devices v1.6.0.12 and earlier
Safety Accelerator Toolkit v6.0.0.0 and earlier
Water Wastewater Accelerator Toolkit v3 and earlier

Vulnerability Details

CVE-2017-5176: File Permission Vulnerability Leading to Privilege Escalation
A local, authenticated attacker could write to several directories containing Dynamic Load Library (DLL) files that execute with system level privilege. These DLL files inherit the properties of these directories, meaning DLL files that run at the system level can be written to by a normal user and lead to an escalation of privileges. Certain registry keys were also found to be writeable to normal users.

A CVSS v3 base score of 7.0/High has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers currently using any of the affected tools are encouraged to take the following actions:

Existing customers using affected versions of the tools should update to the newest version of the tools. Existing users can do this by running an update in Current Program Updater. New users can do this by accepting and running the Current Program Updater update offered immediately during installation. After the tool runs, it will apply the most recent version of Current Program Updater as well as the most recent version of the tools currently installed. Fixed versions of toolkits will no longer allow the toolkits to make changes to the access controls of files and registry keys.
Work with your IT administrators to ensure that the following files and registry keys have the correct access control permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed.

Toolkit	Impacted Registry Keys or Files
All Tools	C:WindowsSysWOW64raise.dll C:WindowsSysWOW64SSPodt.exe HKEY_CLASSES_ROOTRAISE
Batch Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsBatch
CENTERLINE 2500 Global Product Configuration Builder	HKEY_CLASSES_ROOTRAISEInstalled ComponentsInstalled ComponentsEST_Adv
CENTERLINE Builder	HKEY_CLASSES_ROOTRAISEInstalled ComponentsCENTERLINEBuilder
CNC Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsCMAT
Connected Components Accelerator Tool Kit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsCCAT
Current Program Updater	HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
Drives and Motion Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_DMAT
Energy Management Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_EMAT
Product Selection Toolbox Suite	HKEY_CLASSES_ROOTRAISEInstalled ComponentsShared
&Safety Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalledComponentsSimp_SafetyGuardLogix
Water Wastewater Accelerator Toolkit	HKEY_CLASSES_ROOTRAISEInstalled ComponentsSimp_WWWAT

If a toolkit has been installed to a custom directory, customers are encouraged to identify what other directories may have had the access level privileges modified by the toolkits and work with their IT administrator to ensure the directories have the correct level of permissions. Ensure that the least-privilege user principle is followed, and user/service account access is only granted with a minimum number of rights as needed. To identify these directories, customers can review the list at the following registry key:

HKEY_CLASSES_ROOTRAISEInstalled Components

The following toolkits are considered End of Life (EOL):

Product Family	Suggested Actions
Connected Components Accelerator Tool Kit Drives & Motions Accelerator CNC Accelerator Toolkit Safety Accelerator Toolkit Energy Management Accelerator Toolkit Water Wastewater Accelerator Toolkit	Customers are encouraged to discontinue use of these toolkits and uninstall if possible and follow the remediation steps outlined above.

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLockeror other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN1499 | PN1499 | RSLinx Classic Privilege Escalation Vulnerability

Published Date:

April 09, 2020

Last Updated:

April 09, 2020

CVE IDs:

CVE-2020-10642

Products:

RSLinx Classic (Single Node

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 09, 2020. Initial Release.

Executive Summary

Rockwell Automation received a report from the researcher William Knowles at Applied Risk regarding a vulnerability in RSLinx® Classic software, which if successfully exploited, could allow an authenticated attacker to gain elevated or SYSTEM level privileges.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

RSLinx versions 4.11.00 and earlier.

Vulnerability Details

CVE-2020-10642: Privilege Escalation via Weak Registry Key Permissions
An authenticated, local attacker could modify the registry key, which could lead to the execution of malicious code when RSLinx Classic was opened. The code would run under the same system privileges as RSLinx and therefore, could be used for privilege escalation.

CVSS v3.0 Base Score: 8.8/HIGH
CVSS v3.0 Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected versions of RSLinx Classic are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards the risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Suggested Actions
RSLinx Classic	Apply Patch 1091155 (Download). The patch can be applied to v3.60 to v4.11, but customers are encouraged to apply the most recent version of RSLinx Classic.

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft^® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Ensure that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).

Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

ADDITIONAL LINKS

Critical

PN1027 | PN1027 | Stratix 5950 Contains Multiple Vulnerabilities

Published Date:

April 07, 2020

Last Updated:

April 07, 2020

CVE IDs:

CVE-2018-0228, CVE-2018-0296, CVE-2018-0227, CVE-2018-0231, CVE-2018-0240

Products:

Stratix 5950 Security Appliance

CVSS Scores:

7.5, 10.0, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - June 21, 2018. Initial Release.

Revision History

Revision Number

1.1

Revision History

Version 1.1 - April 07, 2020. Updates to mitigations and other languages.

Introduction

Stratix 5950 Client Certificate Bypass and Denial of Service Vulnerabilities

Description

Executive Summary

Cisco Systems, Inc. (“Cisco”) has released advisories detailing multiple vulnerabilities in Cisco Adaptive Security Appliance (“ASA”) Software that, if successfully exploited, could potentially allow a threat actor to bypass client certification to create connections to the affected device, cause an affected device to crash, or allow a threat actor to view potentially sensitive data on a device. The Allen-Bradley® Stratix® 5950 uses Cisco ASA software as its central operating system; this enables the security device to offer capabilities that include providing proactive threat defense for industrial control systems.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley® Stratix® 5950 Security Appliance
(Cisco Adaptive Security Appliance v9.6.2 and earlier)

1783-SAD4T0SBK9
1783-SAD4T0SPK9
1783-SAD2T2SBK9
1783-SAD2T2SPK9

Vulnerability Details

Vulnerability #1: Flow Creation Denial of Service Vulnerability
A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system.

The vulnerability is due to incorrect handling of an internal software lock that could prevent other system processes from getting CPU cycles, causing a high CPU condition. A threat actor could exploit this vulnerability by sending a steady stream of malicious IP packets that can cause connections to be created on the targeted device. A successful exploit could allow the threat actor to exhaust CPU resources, resulting in a DoS condition during which traffic through the device could be delayed. This vulnerability applies to either IPv4 or IPv6 ingress traffic either to or across an affected device.

CVE-2018-0228 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerability
A vulnerability in the Secure Sockets Layer (SSL) Virtual Private Network (VPN) Client Certificate Authentication feature for Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to establish an SSL VPN connection and bypass certain SSL certificate verification steps.

The vulnerability is due to incorrect verification of the SSL Client Certificate. A threat actor could exploit this vulnerability by connecting to the ASA VPN without a proper private key and certificate pair. A successful exploit could allow the threat actor to establish an SSL VPN connection to the ASA when the connection should have been rejected.

CVE-2018-0227 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Vulnerability #3: Transport Layer Security Denial of Service Vulnerability
A vulnerability in the Transport Layer Security (TLS) library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of the affected device resulting in a denial of service (DoS) condition.

The vulnerability is due to insufficient validation of user-supplied input. A threat actor could exploit this vulnerability by sending a malicious TLS message to an interface enabled for Secure Layer Socket (SSL) services on an affected device. Messages using SSL Version 3 (SSLv3) or SSL Version 2 (SSLv2) cannot be be used to exploit this vulnerability. An exploit could allow the threat actor to cause a buffer underflow, triggering a crash on an affected device.

CVE-2018-0231 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4 Application Layer Protocol Inspection Denial of Service Vulnerabilities
Multiple vulnerabilities in the Application Layer Protocol Inspection feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote threat actor to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerabilities are due to logical errors during traffic inspection. A threat actor could exploit these vulnerabilities by sending a high volume of malicious traffic across an affected device. An exploit could allow the threat actor to cause a deadlock condition, resulting in a reload of an affected device.

CVE-2018-0240 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: Web Services Denial of Service or Potential Sensitive Information Disclosure
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote threat actor to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but a threat actor could view sensitive system information without authentication by using directory traversal techniques.

The vulnerability is due to lack of proper input validation of the HTTP URL. A threat actor could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the threat actor to cause a DoS condition or unauthenticated disclosure of information. This vulnerability applies to IPv4 and IPv6 HTTP traffic.

CVE-2018-0296 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the Stratix 5950 per the table below:

Vulnerability	Suggested Actions
#1: Flow Creation Denial of Service Vulnerability #2: Virtual Private Network SSL Client Certificate Bypass Vulnerablity #3: Transport Layer Security Denial of Service Vulnerability #4: Application Layer Protocol Inspection Denial of Service Vulnerabilities #5 Web Services Denial of Service or Potential Sensitive Information Disclosure	Apply FRN v6.4.0 (Download)

Secondary Mitigations include the following:

#1: Flow Creation Denial of Service Vulnerability: The ASA and FTD configuration commands, set connection per-client-embryonic-max (TCP) and set connection per-client-max (TCP, UDP, and Stream Control Transmission Protocol {SCTP}), can be configured to limit the number of connection requests allowed. Using these configuration parameters can reduce the number of connections and greatly reduce the impact of the DoS attack.
#5 Web Services Denial of Service or Potential Sensitive Information Disclosure: Cisco has released Snort Rule 46897.

General Security Guidelines

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security)

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

Attachments

File

KB-1073860_Stratix5950_v1.1.pdf

High

PN1046 | PN1046 | Stratix 5950 Denial of Service Vulnerability

Published Date:

April 07, 2020

Last Updated:

April 07, 2020

CVE IDs:

CVE-2018-0472

Products:

Stratix 5950 Security Appliance

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 04, 2019. Initial Release

Revision History

Revision Number

1.1

Revision History

Version 1.1 - April 7, 2020. Updates to mitigations.

Introduction

Stratix 5950 Denial of Service Vulnerability

Description

Executive Summary

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. One of these vulnerabilities affects the following Allen-Bradley Stratix® product:

Allen-Bradley Stratix 5950 Security Appliance

Affected Products

Allen-Bradley Stratix 5950 Security Appliance

1783-SAD4T0SBK9
1783-SAD4T0SPK9
1783-SAD2T2SBK9
1783-SAD2T2SPK9

Vulnerability Details

Cisco Adaptive Security Appliance (ASA) IPsec Denial of Service

A vulnerability in the IPsec driver code of multiple Cisco IOS XE Software platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to improper processing of malformed IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by sending malformed IPsec packets to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device.

NOTE: IPsec is disabled by default in the Allen-Bradley Stratix 5950 devices.

The security disclosure from Cisco for their IOS XE and Cisco ASA 5500-x Series is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipsec.

CVE-2018-0472 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product

Suggested Actions

Stratix 5950 Security Appliance

1783-SAD4T0SBK9
1783-SAD4T0SPK9
1783-SAD2T2SBK9
1783-SAD2T2SPK9

Apply FRN v6.4.0 (Download)

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Medium

PN1100 | PN1100 | Stratix 5950 Secure Boot Hardware Tampering Vulnerability

Published Date:

March 10, 2020

Last Updated:

March 10, 2020

CVE IDs:

CVE-2019-1649

Products:

__productNames

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

Revision 1.0

Revision History

March 10, 2020. Initial Release.

Executive Summary

Cisco Systems, Inc. (Cisco) released an advisory regarding a vulnerability in the logic that handles access control to a hardware component in Cisco’s proprietary Secure Boot implementation. If successfully exploited, an attacker could write a modified firmware image to the component. The Allen-Bradley® Stratix® 5950 utilizes Cisco’s proprietary Secure Boot implementation.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below and apply any appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided below.

Affected Products

Allen-Bradley Stratix 5950 Security Appliance:

1783-SAD4T0SBK9
1783-SAD4T0SPK9
1783-SAD2T2SBK9
1783-SAD2T2SPK9

Vulnerability Details

CVE-2019-1649: Cisco Secure Boot Hardware Tampering
A vulnerability in the logic that handles access control to one of the hardware components in Cisco's proprietary Secure Boot implementation could allow an authenticated, local attacker to write their own modified firmware image to the affected component.

The vulnerability is due to an improper check on the area of code that manages on-premise updates to a Field Programmable Gate Array (FPGA) part of the Secure Boot hardware implementation. An attacker with elevated privileges and access to the underlying operating system running on the affected device could utilize this vulnerability to write a modified firmware image to the FPGA. A successful exploit could cause the device to become unusable (and require a hardware replacement) or allow tampering with the Secure Boot verification process, which under some circumstances may allow the attacker to install and boot a malicious software image.

The security disclosure from Cisco regarding their Secure Boot implementation is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot.

CVSS v3.1 Base Score: 6.7/10[MEDIUM]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk and are encouraged when possible, to combine this guidance with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Vulnerability	Product	Suggested Actions
CVE-2019-1649	Stratix 5950 Security Appliance 1783-SAD4T0SBK9 1783-SAD4T0SPK9 1783-SAD2T2SBK9 1783-SAD2T2SPK9	Apply FRN v6.4.0 (Download)

General Security Guidelines

Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (KAByrd@ra.rockwell.com).

Additional Links

Critical

PN1411 | PN1411 | MicroLogix Controllers, RSLogix 500 Software Contains Multiple Vulnerabilities Affecting Confidentiality

Published Date:

March 05, 2020

Last Updated:

March 05, 2020

CVE IDs:

CVE-2020-6980, CVE-2020-6990, CVE-2020-6988, CVE-2020-6984

Products:

RSLogix 500

CVSS Scores:

4.0, 5.9, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

Version 1.0

Revision History

March 05, 2020 - Intitial release.

Executive Summary

A subset of MicroLogix™ controllers and RSLogix 500® software contain multiple vulnerabilities that could allow an attacker to gain access to sensitive project file information including passwords. Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies submitted reports to Rockwell Automation regarding several vulnerabilities found in the Allen-Bradley® MicroLogix controllers and RSLogix 500 software. A subset of these vulnerabilities was also independently co-discovered and reported by Rongkuan Ma, Xin Che, and Peng Cheng from 307 Lab.

Customers using affected versions of these products are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

MicroLogix 1400 Controllers
Series B, v21.001 and earlier
Series A, all versions

MicroLogix 1100 Controllers
All versions

RSLogix 500® Software
V12.001 and earlier

Vulnerability Details

CVE-2020-6990: Use of Hard-Coded Cryptographic Key
The cryptographic key utilized to help protect the account password is hard-coded into the RSLogix 500 binary file. An attacker could identify cryptographic keys and use it for further cryptographic attacks that could ultimately lead to a remote attacker gaining unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

CVE-2020-6984: Use of a Broken or Risky Algorithm for Password Protection
The cryptographic function utilized to protect the password in MicroLogix is discoverable. This password protects access to the device. If successfully exploited a remote attacker could gain unauthorized access to the controller.

CVSS v3.1 Base Score: 9.8/CRITICAL
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2020-6988: Use of Client-Side Authentication
A remote, unauthenticated attacker can send a request from the RSLogix 500 software to the victim’s MicroLogix controller, and the controller will then respond to the client with used password values to authenticate the user on the client-side. This method of authentication may allow an attacker to bypass authentication altogether, disclose sensitive information, or leak credentials.

CVSS v3.1 Base Score: 5.9/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

CVE-2020-6980: Unsecured SMTP Data Storage
If Simple Mail Transfer Protocol (SMTP) account data is saved in RSLogix 500, a local attacker with access to a victim’s project file or the controller, may be able to gather SMTP server authentication data as it is written to the project file in cleartext.

CVSS v3.1 Base Score: 4.0/MEDIUM
CVSS v3.1 Vector String: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Acknowledgements:

CVE#	Discovery Attribution
CVE-2020-6990	Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.
CVE-2020-6984	Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6988	Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies. Independently co-discovered by Rongkuan Ma, Xin Che, and Peng Cheng from 307 lab.
CVE-2020-6980	Originally reported by Ilya Karpov, Evgeny Druzhinin from independent research team ScadaX Security and Dmitry Sklyarov from Positive Technologies.

Risk Mitigation & User Action

Customers are encouraged to assess their level of risk regarding their specific applications and update to the latest available firmware or software version that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Note: Customers using affected versions of MicroLogix 1400 or MicroLogix 1100 are urged to contact their local distributor or sales office to upgrade their devices to MicroLogix 1400 Series B or a newer product line.

Product	Catalog Numbers	Suggested actions for CVE-2020-6990, CVE-2020-6984, and CVE-2020-6988	Suggested actions for CVE-2020-6980
MicroLogix 1400 controllers, Series B	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature.	Apply FRN 21.002 or later for MicroLogix 1400 Series B devices (Download). Use the Enhanced Password Security feature.
MicroLogix 1400 controllers, Series A	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	No direct mitigation.	No direct mitigagion.
MicroLogix 1100 controllers.	1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD	No direct mitigation.	No direct mitigation.
RSLogix 500® software	R324-RL0x	Apply version V11 or later (Download), used in conjunction with applied FRN 21.002 or later for MicroLogix 1400 Series B devices. Use the Enhanced Password Security feature. Other configurations, no direct mitigation.	No direct mitigation.

General Security Guidelines

Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of the Microsoft® AppLocker application or another similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please see our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

Additional Links:

PN359 | PN359 | Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

1756-L72, L73, L74, L75 , 1789 SoftLogi PC

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Firmware Upgrade Security Notice: Comment on DHS Communication (Control Systems Vulnerability in Multiple Sectors)

Description

Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.

As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.

Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.

As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.

The following Rockwell Automation products currently authenticate firmware using digital signatures:

ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
Virtual firmware of the 1789 SoftLogix PC based controllers

For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.

Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:

Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.

KCS Status

Flagged - Formatting

PN391 | PN391 | ControlLogix 1756-ENBT/A Ethernet/IP Bridge - Potential Security Vulnerabilities

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

1756 ControlLogix I/O

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Description

Potential Security Vulnerabilities

Rockwell Automation has identified three potential security vulnerabilities related to the web interface of the 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Specifically, the risks include the following:

The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.
An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
The potential for web redirection, which could allow the Product to be used in a social engineering attack.
An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.

Risk Mitigation

None of these issues results in the Product’s web pages or other Product functions being compromised or otherwise affected.

These potential security vulnerabilities are corrected in:

1756-ENBT Version 4.008
1756-EWEB Version 4.009

The best way to mitigate the risk associated with these issues is to employ the following in the design of network architecture:

Layered security.
Defense-in-depth methods.

Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Additionally, to help mitigate the risk associated with the cross-site scripting potential vulnerability, certain web browsers and/or browser add-ons can be used. Internet Explorer Version 8 (which is currently in beta release) has cross-site scripting protection built-in. Additionally, the NoScript add-on for the FireFox browser can help prevent cross-site scripting attacks.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security/.

REFERENCES

http://www.kb.cert.org/vuls/id/124059

http://www.kb.cert.org/vuls/id/619499

http://www.kb.cert.org/vuls/id/882619

Industry Advisory - CIP: Rockwell Automation ControlLogix 1756-ENBT/A WebServer Vulnerabilities

KCS Status

Released

Medium

PN402 | PN402 | ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

ControlLogix 1756-ENBT/A Ethernet/IP Bridge

CVSS Scores:

5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability

Description

Rockwell Automation has identified a potential security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Details of this potential vulnerability are as follows:

The potential for an unauthorized replacement of Rockwell Automation Product firmware with a corrupted firmware image that may render the Product inoperable and/or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product and other components dependent on the Product. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to Industrial Network Architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these short-term mitigation strategies, Rockwell Automation continues our investigation and evaluation of other long-term mitigation strategies that include, but are not limited to:

Product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at https://www.rockwellautomation.com/global/capabilities/industrial-security/overview.page.

KCS Status

Released

Critical

PN560 | PN560 | Password Security Vulnerability in MicroLogix™ Controllers

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

MicroLogix Controllers

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Password Security Vulnerability in MicroLogix™ Controllers

Description

Password Security Vulnerability in MicroLogix™ Controllers

Issue date December 18, 2009. Updated September 27, 2011.

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Vulnerability Details:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept and decipher the Product’s password and potentially make unauthorized changes to the Product’s operation.

--- Update begins here ---

Vulnerability Mitigation

The password mechanism used between RSLogix 500 software and MicroLogix controllers (1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx) has been enhanced to mitigate risks relating to this specific vulnerability. Concerned customers are encouraged to upgrade RSLogix 500 software to version 8.4 or greater.

--- Update ends here ---

In addition to the recommended software upgrade, Rockwell Automation recommends customers take additional steps as outlined below to further reduce associated security risk from this vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too (Note: when possible, multiple strategies should be employed simultaneously):

Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.

Rockwell Automation remains committed to making additional security enhancements to our products and systems in the future. For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical

PN567 | PN567 | Client Software Authentication Security Vulnerability in PLC5® and SLC™ 5/0x Controllers

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

1747-L5x, 1785-Lx

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Description

Issued February 2, 2010. Updated March 3, 2010 - Version 1.2

Updated March 19, 2013 (see below)

Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.

Details of this potential vulnerability to the affected Product are as follows:

The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept communications between a Product and an authorized software client to gain access to the Product and interrupt its intended operation.

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:

a. The 1747-L5x firmware should be OS Series C FRN 10, or higher.

b. 1785-Lx processor firmware should be at or above the following (refer to included table):

Catalog Number	Series A	Series B	Series C	Series D	Series E	Series F
Enhanced	Revision	Revision	Revision	Revision	Revision	Revision
1785-L11B	R.2	U.2	L.2	K.2
1785-L20B	R.2	U.2	L.2	K.2
1785-L30B	S.2	U.2	L.2	K.2
1785-L40B	S.2	U.2	L.2	K.2
1785-L40L	S.2	U.2	L.2	K.2
1785-L60B	S.2	U.2	L.2	K.2
1785-L60L	S.2	U.2	L.2	K.2
1785-L80B	U.2	L.2	K.2
Protected	Revision	Revision	Revision	Revision	Revision	Revision
1785-L26B	R.2	U.2	L.2	K.2
1785-L46B	S.2	U.2	L.2	K.2
1785-L46L	S.2	U.2
1785-L86B	U.2	L.2	K.2
Ethernet	Revision	Revision	Revision	Revision	Revision	Revision
1785-L20E	U.2	L.2	K.2	A.2
1785-L40E	U.2	L.2	K.2	A.2
1785-L80E	U.2	L.2	K.2	A.2
ControlNet	Revision	Revision	Revision	Revision	Revision	Revision
1785-L20C15	U.2	L.2	K.2	E.2
1785-L40C15	U.2	L.2	K.2	E.2
1785-L46C15	K.2	E.2
1785-L60C15	L.2
1785-L80C15	L.2	K.2	E.2

2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.

3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.

4. For PLC5 controllers, enable and configure "Passwords and Privileges" to restrict access to critical data and improve password security.

5. For SLC controllers, enable static protection via RSLogix 500 on all critical data table files to prevent any remote data changes to critical data.

<START UPDATE>

Added: 19 Mar 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

7. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

8. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN676 | PN676 | FactoryTalk RnaUtility.dll Vulnerability

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk RnaUtility.dll Vulnerability

Description

Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability

Updated October 5, 2011

This advisory is a replacement and update to AID#: 456065

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.

We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.

Affected Products:

Product Description	Affected Versions
RSLogix 5000 software	Versions V17, V18 and V19
All FactoryTalk-branded software	CPR9 and CPR9-SR1 through SR4

Vulnerability Details and Impacts:

The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.

The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.

There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.

Vulnerability Mitigation:

A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:

Recommended
Mitigation

Product Description

Current Version

Recommendations

FactoryTalk Services Platform (FTSP)

CPR9, CPR9-SR1, CPR9-SR2,
CPR9-SR3, CPR9-SR4

Apply patch roll-up:

AID#458689

http://rockwellautomation.custhelp.com/app/answers/detail/a_id/458689

RSLogix 5000

V17, V18, V19

NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.

Other Mitigation Techniques:

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.

Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/

Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527

In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

1330

1331

1332

4241

4242

4445

4446

5241

6543

9111

60093

49281

4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.

5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Critical

PN889 | PN889 | FT Historian SE OSIsoft PI Data Archive Vulnerabilities

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

FactoryTalk Historian SE

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FT Historian SE OSIsoft PI Data Archive Vulnerabilities

Description

October 1st, 2015 - Version 1.0

On August 13th 2015, the Rockwell Automation Security Taskforce became aware of an advisory published by ICS-CERT (ICSA-15-225-01), which stated that OSIsoft disclosed and resolved 56 security vulnerabilities in their PI Server 2015 release. In addition to PI Server 2015, OSIsoft has also released PI Server 2012 SP1, which includes a subset of the vulnerabilities fixed in the 2015 version. OSIsoft is strongly recommending that users upgrade to the PI Server 2015 release.

FactoryTalk Historian SE includes the OSI PI Server 2012 product, including the PI Data Archive component, in the standard product image. As part of this process, Rockwell Automation has investigated the reported vulnerabilities, and has concluded that FT Historian SE customers are likely vulnerable to these same set of vulnerabilities as the PI Server product. At the time of publication, no known public exploits exist at this time for these vulnerabilities.

Details relating to these vulnerabilities, the known affected platforms and recommended mitigations are contained herein.

AFFECTED PRODUCTS

FactoryTalk Historian SE (9518-HSEx), Versions 2.00.00, 2.10.00, 2.20.00, 3.01.00 and 4.00.00

Rockwell Automation is continuing to investigate these vulnerabilities and is actively determining future plans to address them, including incorporating the updated OSI PI Server into FactoryTalk Historian Server. This advisory will be updated when these plans are determined, as well as when updated software is available for customers to upgrade their systems. We recommend that customers apply the mitigations detailed below and subscribe to this article to receive the abovementioned notifications when updated.

VULNERABILITY DETAILS

According to both the ICS-CERT and OSIsoft disclosures, a portion of highest-severity vulnerabilities may allow a remote code injection by an attacker who sends a specially crafted sequence of packets to the PI Server contained in FT Historian SE.

To be successful, the attacker must have network connectivity to reach the server running FT Historian SE and be able to access port 5450 on that system. A successful exploit would allow an attacker to gain full privileges on the Windows system. With this level of access, an attacker could tamper with the system or product binaries, read and write arbitrary data, and/or tamper with user accounts on the system.

According to these disclosures, these vulnerabilities can also be used to create a Denial-of-Service (DoS) condition on the target server, rendering the FT Historian SE server unavailable to the automation system, and potentially cause either loss or corruption of the PI Server data.

RISK MITIGATIONS

Limit access to PI Server Port 5450, which reduces exposure to the highest-rated vulnerabilities.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

ADDITIONAL LINKS

KCS Status

Released

Critical

PN893 | PN893 | MicroLogix 1100 and 1400 Controller Vulnerabilities

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

CVE IDs:

CVE-2015-6492, CVE-2015-6491, CVE-2015-6490, CVE-2015-6486, CVE-2015-6488

Products:

MicroLogix 1100 and 1400 controller

CVSS Scores:

7.5, 3.7, 9.8, 4.6, 4.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1100 and 1400 Controller Vulnerabilities

Description

Version 2.0 - December 8th 2015 (Original Release: October 27th 2015)

From June through October 2015, Rockwell Automation was notified of security vulnerabilities discovered in the Allen-Bradley MicroLogix 1100 and/or MicroLogix 1400 product families. One of these notifications was the security vulnerability (KB731427) previously disclosed during DEFCON 23 in August 2015.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has reproduced all of these vulnerabilities in both the MicroLogix 1100 and MicroLogix 1400 product families. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to these vulnerabilities, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.003 and earlier.
1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

This vulnerability applies to both the MicroLogix 1100 and MicroLogix 1400 platforms. However, at this time a fix is only available for the MicroLogix 1100 product family. A future product update for the MicroLogix 1400 will be available in the November 2015 timeframe, and will include this vulnerability fix. Rockwell Automation will update this advisory at the time of the release.

03-DEC-2015 UPDATE: Version 15.004 is now available for the MicroLogix 1400 product. See below for more details.

CVE-2015-6490 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability #2: Product Denial of Service

A Denial of Service ("DoS") condition may result on the MicroLogix 1100/1400 when an affected product receives a specific malicious web request, which would require user action to power cycle the product and restore it to a working state. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability. The impact to the user’s automation system would be highly dependent on the mitigations that the user may already employ.

CVE-2015-6492 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability #3: Remote File Inclusion

A Remote File Inclusion condition may result on the MicroLogix 1100/1400 when an attacker crafts a malicious link, using the built-in feature to "redirect" outside web content into the product’s web page frame. This outside web content could contain malicious content that would target the unsuspecting user’s web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

This vulnerability was first disclosed in publication KB731427 and ICS-ALERT-15-225-02A in August 2015.

CVE-2015-6491 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

Vulnerability #4: Stored Cross-site Scripting ("XSS")

Ilya Karpov of Positive Technologies identified a XSS vulnerability in both the MicroLogix 1100/1400. This vulnerability may allow an attacker to execute requests inject and store Javascript in the product’s web server, which would be executed on the user’s web browser when accessing the embedded web server function. The stored Javascript may be used to unknowingly execute web requests in the context of the user who is viewing the page. A factory reset is required to remove the stored Javascript.

CVE-2015-6488 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)

Vulnerability #5: Privilege Escalation through Structured Query Language ("SQL") Injection

Ilya Karpov of Positive Technologies has identified a Privilege Escalation vulnerability in the MicroLogix 1100/1400. Privilege Escalation may result when an attacker tricks an authorized user (through social engineering/phishing) to click on a specific and malicious link, which allows the attacker to create or escalate the privileges of an existing user to the administrative level. An authorized administrator is required to undo the changes made after the attack.

CVE-2015-6486 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:L)

For additional information on CVSS v3 metrics, vectors, and scores, please see the First’s Common Vulnerability Scoring System Version 3.0.

RISK MITIGATIONS
Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

Update supported products based on this table:

Product Family	Catalog Numbers	Hardware Series	Vulnerabilities Fixed	Suggested Actions
MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series B	1, 2, 3, 4, and 5	- Apply FRN 15.000 (Downloads) - Apply the additional mitigations described below
MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series A	None	- Apply the mitigations described below
MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series B	1, 2, 3, 4, and 5.	- Apply FRN 15.004(Downloads) - Apply the additional mitigations described below
MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-LK32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series A	None	- Apply the mitigations described below

Disable the web server on the MicroLogix 1100 and 1400, as it is enabled by default. See KB732398 for detailed instructions on disabling the web server for each controller platform.
Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

Security Advisory Index, Knowledgebase article KB54102
KB732398 Disable Web Server on MicroLogix
ICS-CERT Advisory ICSA-15-300-03A Rockwell Automation Micrologix 1100 and 1400 PLC Systems Vulnerabilities (Update A)

KCS Status

Released

PN900 | PN900 | Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

CVE IDs:

CVE-2010-2568

Products:

RSLinx Classic (Single Node

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Description

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Released: 21 July 2010 Updated: 10 August 2010

Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.

Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.

Background

A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.

Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.

Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.

Vulnerability Description

The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.

The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:

What causes the vulnerability?

When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

IMMEDIATE RECOMMENDATIONS

Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:

MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.

NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.

DHS/ICS-CERT recommends concerned users immediately implement the following measures:

Mitigations

Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.

ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.

NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.

DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."

www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf

Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:

www.us-cert.gov/cas/tips/ST08-001.html

ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:

Mitigations

Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.

NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.

Go to RAid:35530 for more specific information regarding the qualification of this patch.
Restrict control system access to only those authorized to work with these systems.
Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
Where practical, disable all unused USB ports on control system PCs.
Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
Purchase USB drives from trusted sources.
Only use USB drives manufactured by a trusted vendor
Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.

NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.

As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.

KCS Status

Released

PN907 | PN907 | SCADAPass Default Passwords

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

2711P PanelView Plus 6 Logic Modules, POINT I/O Communication Interfaces, 2711P PanelView Plus 6 400-1500

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

SCADAPass Default Passwords

Description

Version 1.0 – January 11th 2016

In January 2016, SCADA Strange Love, an independent group of information security researchers, included several Rockwell Automation products in a project they published called SCADAPass.

SCADAPass contains a list of default passwords in popular industrial control systems ("ICS") and supervisory control and data acquisition ("SCADA") products, including programmable logic controllers ("PLCs") and human-machine interfaces ("HMIs"). Default credentials may be used by an attacker to gain privileged access to remotely accessible assets if a user does not take explicit action to change the default user credentials.

As part of this process, Rockwell Automation evaluated the included products in SCADAPass, and determined that all of the products’ default passwords are changeable by the user. Directions on how to change these passwords are found in the respective product manuals, which can be found in the table below.

INCLUDED PRODUCTS

1756-EN2TSC
1756-EWEB
1734-AENT
MicroLogix 1400
MicroLogix 1100
PanelView Plus 6

RISK MITIGATIONS

Rockwell Automation strongly recommends that asset owners evaluate the passwords used in their production assets, and apply the following suggested mitigations which are applicable:

Product	Product Manual
1756-EN2TSC	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf
1756-EWEB	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um527_-en-p.pdf
1734-AENT	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um011_-en-p.pdf
MicroLogix 1100	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um002_-en-p.pdf
MicroLogix 1400	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um002_-en-p.pdf
PanelView Plus 6	http://www.manualsdir.com/manuals/580848/rockwell-automation-2711p-xxxx-panelview-plus-6-terminals-user-manual.html?page=54

Establish and enforce password policies for maximum age of passwords, minimum password length, minimum password complexity, and password re-use.
Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

Security Advisory Index, Knowledgebase article KB:54102

KCS Status

Released

Critical

PN910 | PN910 | MicroLogix 1100 Web Server Buffer Overflow

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

CVE IDs:

CVE-2016-0868

Products:

MicroLogix 1100 Web Server Buffer Overflow

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1100 Web Server Buffer Overflow

Description

Version 1.0 – January 26th 2016

In December 2015, Rockwell Automation was notified by ICS-CERT of a Buffer Overflow security vulnerability discovered in the web server of the Allen-Bradley MicroLogix 1100 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified this discovery and released revised product firmware to address associated risk. ICS-CERT published an advisory (ICSA-16-026-02) to cover this vulnerability.

Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 15.000 and earlier.

VULNERABILITY DETAILS

Remote Code Execution through Stack-based Buffer Overflow

A Remote Code Execution ("RCE") condition may result when an affected product receives a specific malicious web request. An attacker could exploit this vulnerability to inject and execute arbitrary code on the product. Receipt of such a request from an unintended or unauthorized source has the potential to cause loss of product availability and/or compromise the product’s integrity and confidentiality. The impact to the user’s automation system would be highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ.

CVE-2016-0868 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable.

Update supported products based on this table:

Product Family

Catalog Numbers

Hardware Series

Suggested Actions

MicroLogix 1100

1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWD

Series B

- Apply FRN 15.002
(Downloads)

- Apply the additional
mitigations described below

1763-L16AWA
1763-L16BBB
1763-L16BWA
1763-L16DWD

Series A

- Apply the additional
mitigations described below

Disable the web server on the MicroLogix 1100, as it is enabled by default. See KB 732398 for detailed instructions on disabling the web server for each controller platform.
Set the keyswitch to RUN to prohibit re-enabling of the web server via RSLogix 500.
Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

Security Advisory Index, Knowledgebase article KB:54102
KB732398 Disable Web Server on MicroLogix

KCS Status

Released

Medium

PN915 | PN915 | Integrated Architecture Builder (IAB) Access Violation

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

CVE IDs:

CVE-2016-2277

Products:

Integrated Architecture Builder (IAB)

CVSS Scores:

6.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Integrated Architecture Builder (IAB) Access Violation

Description

Version 1.0 – February 24th 2016

A vulnerability has been discovered by Ivan Javier Sanchez of Nullcode Team in the Integrated Architecture Builder (IAB) tool. This tool is used by our customers to configure their Logix-based automation systems, select hardware, and generate bills of material for applications including controllers, I/O, networks, drives, cabling & wiring, motion control, and other devices.

The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the IAB tool. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’s discoveries and a new software release has been issued for Integrated Architecture Builder which addresses the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

Integrated Architecture Builder, Versions 9.6.0.7 and earlier
Integrated Architecture Builder, Versions 9.7.0.0 and 9.7.0.1

VULNERABILITY DETAILS

IAB has a capability to open an existing project file containing a control system hardware definition so that the user can create a validated bill of material. The discovered vulnerability is within the IAB.exe code that parses this project file content. In certain cases where a uniquely crafted or altered file is used, the IAB.exe parser code execution can allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace project files with specifically created or modified project files that have been constructed to use this condition to successfully execute malicious code.

Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CVE-2016-2277 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the Integrated Architecture Builder are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

Do not open untrusted project files with IAB.exe.
Upgrade Integrated Architecture Builder V9.6.0.7 and earlier to either V9.7.0.2+ or V9.6.0.8+ (available now) using Current Program Updater. Current Program Updater is a program that is installed on your computer when you install Integrated Architecture Builder. The User Guide to Current Program Updater is built into the application should you need additional information.Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the business network.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

PN928 | PN928 | PowerFlex 7000 Writeable Parameters

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

PowerFlex 7000 Writeable Parameters

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

PowerFlex 7000 Writeable Parameters

Description

PowerFlex 7000 Writeable Parameters

Version 1.0 - June 6th, 2016

This advisory is intended to raise awareness to control system owners and operators of PowerFlex 7000 medium voltage drives. A January 2016 presentation at the S4 ICS Security Conference highlighted a potential weakness in Variable Frequency Drives that allows unauthorized users to change configuration parameters in these devices. The presentation highlighted products from four vendors including Rockwell Automation. This presentation spawned several news articles, including one entitled "An Easy Way for Hackers to Remotely Burn Industrial Motors" from WIRED Magazine. This article reminds us that cybersecurity threats are present and not always easy to anticipate. Unfortunately, neither the article’s author, Kim Zetter, nor her source, Reid Wightman, have contacted Rockwell Automation at the time of writing with any specific information -- so we can only try to guess how their statements apply to our drives.

This article implies that all the drives they reference can be easily accessed and provide an easy means to change parameters, that could result in motor damage. It overlooks many self-monitoring features that are built into modern drives to prevent changes to parameters while the drive is running, detecting improper operation and monitoring external sensors for equipment, such as motors that are exceeding design parameters.

Variable frequency drives, by their nature, are designed to support a wide variety of applications and it is possible that the improper setting of a parameter or parameters can create application issues. Rockwell Automation is aware of this and constantly looks for ways to eliminate these situations or, where the possibility is created by a customer need, alert the user to the problem with a fault or error message before it causes potential damage.

RISK MITIGATIONS

Below are recommended mitigations and resources to help protect your deployed Rockwell Automation products, including variable frequency drives. We strongly recommend that you evaluate your current products and environment, and apply the following mitigations where applicable.

Review and employ the recommendations in the Converged Plantwide Ethernet Design and Installation Guide (DIG). It contains important information relating to proper network design practices, including aspects of security capabilities available through the network infrastructure.
Consider using Rockwell Automation’s FactoryTalk AssetCentre. Version 6.0 offers compatibility with drives. AssetCentre can be configured to automatically backup your configuration, and compare it to a known good version, and log any changes into FactoryTalk Audit.
Use trusted software, software patches, and anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users of the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that Internet access is carefully evaluated, protected, and controlled.
Locate control system networks and devices behind firewalls, and use proper techniques to isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to Rockwell Automation’s Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to the most up-to-date information about security matters that affect Rockwell Automation products.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High

PN937 | PN937 | MicroLogix™ 1400 SNMP Credentials

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

CVE IDs:

CVE-2016-5645

Products:

MicroLogix 1400 SNMP Credentials

CVSS Scores:

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Description

Version 1.0 - AUG-11-2016

In June 2016, Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group, reported to Rockwell Automation that an undocumented and privileged Simple Network Management Protocol ("SNMP") community string exists in the MicroLogix™ 1400 Programmable Logic Controller ("PLC") product. Knowledge of the undocumented community string may allow an attacker to make unauthorized changes to the product’s configuration, including firmware updates.

Rockwell Automation has evaluated the report and confirmed the existence of the undocumented community string in the MicroLogix 1400. We have further investigated and discovered that one of the SNMP community strings is hardcoded and cannot be changed by the user. Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply them to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are also provided below.

AFFECTED PRODUCTS

1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, all versions.

VULNERABILITY DETAILS

SNMP is a standard protocol employed by many types of internet protocol ("IP") based products and allows centralized and remote device management capabilities. One of the many standard SNMP capabilities enables users to manage the product’s firmware, including the capability of applying firmware updates to the product. The MicroLogix 1400 utilizes this standard SNMP capability as its official mechanism for applying firmware updates to the product..

By default, the MicroLogix 1400 enables SNMP and has these community strings in the product:

"public": allows read-only access.
"private": allows read-write access; is hardcoded; and is used by ControlFlash for firmware updates.
"wheel": allows read-write access and was previously undocumented for this product

Due to the nature of this product’s firmware update process, this capability cannot be removed from the product. Instead, mitigations are offered to reduce risk of this capability being used by a malicious actor..

CVE-2016-5645 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the MicroLogix 1400 are strongly encouraged to evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously.

Utilize the product’s "RUN" key switch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.
Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP.
- Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
- Note: Changing the SNMP community strings is not an effective mitigation.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

High

PN978 | PN978 | PanelView Plus 6 700-1500 (7-15 displays) with Open Test Port

Published Date:

February 11, 2020

Last Updated:

February 11, 2020

Products:

2711P PanelView Plus 6 Logic Modules, 2711P PanelView Plus 6 400-1500

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

PanelView Plus 6 700-1500 (7"-15" displays) with Open Test Port

Description

Version 1.0 - MAY 19, 2017

A vulnerability has been identified in select PanelView™ Plus 6 700-1500 (7" - 15" displays) graphic terminal products. The identified versions ship with an open test port that, if successfully exploited via Telnet, can allow a remote attacker to connect to a host device and cause changes as if the device were in a testing environment.

PanelView Plus 6 700-1500 (7" - 15" displays) graphic terminal products allow customers to monitor, control, and display the status of their application graphically within their system. These products are used across several industries, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the relevant mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Any graphic terminals that are using OS 2.31 or greater are not affected by this vulnerability. The OS version can be found in the release notes for firmware.

Only firmware versions listed below are affected by this vulnerability. For information on how to identify the installed firmware version on your terminal, please see the following link: https://www.youtube.com/watch?v=nLPnBpMXqEs&t=9s

PanelView Plus 6 700-1500 (7" - 15" displays) Graphic Terminals and Logic Modules with the following firmware versions installed:
6.00.04
6.00.05
6.00.42
6.00-20140306
6.10.20121012
6.10-20140122
7.00-20121012
7.00-20130108
7.00-20130325
7.00-20130619
7.00-20140128
7.00-20140310
7.00-20140429
7.00-20140621
7.00-20140729
7.00-20141022
8.00-20140730
8.00-20141023

VULNERABILITY DETAILS
A remote, unauthenticated user could connect to a PanelView Plus 6 700-1500 (7" - 15" display) device by establishing a Telnet session with the panel. If a connection is made, the malicious user can get access to the test interface of the PanelView Plus 6 700-1500 (7" - 15" display) graphic terminal, allowing the attacker to potentially make disruptive changes and/or extract information from the device.

Rockwell Automation has evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected terminals are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Type of Device

Product Family

Suggested Actions

Graphic Terminals and Logic Modules

PanelView Plus 6 700-1500 (7"-15")

-V7.00: Apply V7.00-20150209
-V8.00: Apply V8.00-20160418
-V8.10: Apply V8.10-20151026 or later
-V8.20: Apply V8.20-20160308 or later
-V9.00: Apply V9.00-20170328 or later
(Downloads)

-Alternatively, disable TestMon on your device. For more information, visit KnowledgeBase Article 1046760

GENERAL SECURITY GUIDELINES

1. Block all traffic to EtherNet/IP™ devices or other CIP protocol-based devices from outside the manufacturing zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.

2. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

3. Locate control system networks and devices behind firewalls, and isolate them from the rest of the business network.

4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices where they are used.

5. When downloading updates, make sure the site or source of the update can be trusted.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: mailto:Secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index

Industrial Firewalls within a CPwE Architecture

Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

KCS Status

Released

Critical

PN1059 | PN1059 | Vulnerabilities Discovered in PowerMonitor 1000 Monitor

Published Date:

August 26, 2019

Last Updated:

August 26, 2019

CVE IDs:

CVE-2018-19615, CVE-2018-19616

Products:

1408 PowerMonitor 1000

CVSS Scores:

9.1, 7.4

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Vulnerabilities Discovered in PowerMonitor 1000 Monitor

Description

Version 1.2 – August 26, 2019
Version 1.1 – February 28, 2019
Version 1.0 – February 13, 2019

Rockwell Automation® Product Security Incident Response Team ("RA PSIRT") was made aware of two vulnerabilities logged in the National Vulnerability Database ("NVD") regarding the Allen-Bradley PowerMonitor™ 1000 monitors. The public disclosure includes details which can allow for potential reproduction and exploitation of these vulnerabilities.

PowerMonitor products are energy metering devices that integrate with existing energy monitoring systems to provide load profiling, cost allocation, and/or energy control information for customers’ systems.

UPDATE v1.2 - Rockwell Automation has released a remediation that addresses both vulnerabilities. Please see the Risk Mitigations and Recommended User Actions section for additional details.

Customers using this product are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional security guidelines are provided in the Risk Mitigations and Recommended User Actions sections below.

AFFECTED PRODUCTS

PowerMonitor 1000 Monitors, All Versions prior to v4.019.

VULNERABILITY DETAILS

Vulnerability #1: Cross-Site Scripting

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to inject arbitrary code into a targeted user’s web browser. The impact to the user is highly dependent on both the content of the exploit developed by the threat actor as well as the mitigations that the user may already employ in their system. The target of this type of attack is not the device itself; instead, it is used as a vehicle to deliver an attack to the web browser.

CVE-2018-19615 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.4/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H.

Vulnerability #2: Authentication Bypass

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to use a proxy to enable certain functionality that is typically available to those with administrative rights for the web application. Upon successful exploitation, a threat actor could potentially disrupt user settings and device configuration.

CVE-2018-19616 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed. RA PSIRT is monitoring the situation and will provide specific remediation information when available.

Customers are directed to the general risk mitigation strategies provided below, and are encouraged when possible, to employ multiple strategies simultaneously.

Vulnerability	Catalog Numbers	Suggested Actions
#1: Cross Site Scripting	1408-BC3A-ENT 1408-EM3A-ENT 1408-TS3A-ENT	Apply FRN 4.019 or later (Download) CheckPoint Software Technologies has released intrusion prevention system ("IPS") rules that detect attempts to exploit this vulnerability. For details about these IPS rules, please see CheckPoint Advisory CPAI-201-0001. Users can disable the File Transfer Protocol ("FTP") port using the LCD Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page. Users can disable access to the Web Page using the LCD screen Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page See general mitigations below
#2: Authentication Bypass	1408-BC3A-ENT 1408-EM3A-ENT 1408-TS3A-ENT	Apply FRN 4.019 or later (Download) Users can disable the File Transfer Protocol ("FTP") port using the LCD Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page. Users can disable access to the Web Page using the LCD screen Configuration Menu or in the Configuration Options >> Security Policy Configuration menu screen on the web page. See general mitigations below.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure access for unauthorized sources are blocked.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
When remote access is required, use secure methods, such as virtual private networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
26-August-2019	1.2	Firmware Revision 4.019 released, addresses vulnerabilities
28-February-2019	1.1	Updated with ICS-CERT links, corrected typos, added security mitigations
13-February-2019	1.0	Initial Release

Attachments

File

KB1084790_v1.2.pdf

KCS Status

Released

High

PN1081 | PN1081 | Ability to gain root-user level access to PanelView 5510 Graphic Terminals

Published Date:

August 02, 2019

Last Updated:

August 02, 2019

CVE IDs:

CVE-2019-10970

Products:

PanelView 5510

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Ability to gain root-user level access to PanelView 5510 Graphic Terminals

Description

Version 1.1 - August 2, 2019

Version 1.0 - July 9, 2019

Several customers contacted Remote Support about an issue with their PanelView™ 5510 graphic terminals that, upon further investigation, could expose a potential vulnerability in the terminal. If successfully exploited, this vulnerability may allow a threat actor to gain access to the file system on the terminal.

PanelView 5510 terminals are operator interface devices that monitor and control devices that are attached to certain Rockwell Automation® Programmable Automation Controllers via EtherNet/IP™. These products are used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware in their product are encouraged to evaluate and apply the appropriate mitigations from those listed below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

PanelView 5510 Graphic Terminals

All Versions manufactured before 2019/03/13 which have never been updated to V4.003, V5.002, or later.

VULNERABILITY DETAILS

A race condition exists in the boot process of the PanelView 5510 Graphic Display which in rare occasions results in a state that allows root-level access to the device’s file system. If VNC is enabled on the device, then a remote authenticated threat actor could leverage the vulnerability to gain root- level access to the device.

CVE-2019-10970 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using PanelView 5510 with manufacturing dates prior to 2019/03/13 are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update should disable the VNC server on the device. In addition, if possible, customers should remove peripherals such as keyboards and limit arbitrarily power cycling of the product. Additionally, customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines.

Product Family	Actions	Notes
PanelView 5510 using v4	Apply v4.003 or later	Download
PanelView 5510 using v5	Apply v5.002 or later	Download

GENERAL SECURITY GUIDELINES

Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation products, see Knowledgebase Article ID 898270.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
09-July-2019	1.0	Initial Release
02-August-2019	1.1	Clarified Vulnerability Details and Risk Mitigation details

Attachments

File

KB 1088080_v1.1.pdf

KCS Status

Released

Critical

PN1072 | PN1072 | Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)

Published Date:

May 20, 2019

Last Updated:

May 20, 2019

CVE IDs:

CVE-2019-0708

Products:

Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, E-Plan, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, RSPower, Entek, Knowledge Documentation, RSLogix Emulate 5, PBase, Build Utility, FactoryTalk Services Platform, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, RSMACC, FactoryTalk VantagePoint EMI, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, Logix Emulate, ComplianceTrack, RSBizWare Scheduler, RSTools, Portlets, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, ERP Integration Gateway, ETL, Historical Transfer, ECO, Activities, RSTestStand, RSWorkbench, RS PMX CTM, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, DataSite Workbench, Logix Designer, Thin Client, FactoryTalk Integrator, FactoryTalk Network Manager, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), API, AI-100/150, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, PlantMetrics, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, Authentication

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Notice Regarding BlueKeep: Windows Security Vulnerability (CVE-2019-0708)

Description

Version 1.0 – May 20, 2019

On May 14, 2019, Microsoft disclosed the existence of, and released the relevant patches for, a critical security vulnerability in relation to the Remote Desktop (RDP) functionality in Windows desktop and server operating systems. According to Microsoft’s disclosures, this vulnerability impacts older versions of Windows products up to Windows 7 and Windows Server 2008. Microsoft has also stated that it has not observed any evidence of attacks against this vulnerability, but that its presence poses a very serious threat that could expose users of the Remote Desktop functionality, including Rockwell Automation customers, to the potential of a rapidly spreading malware attack.

At this time, Rockwell Automation has not identified any products susceptible to this vulnerability. If any products are identified that could be potentially impacted, we will notify our customers with a post to KnowledgeBase, as appropriate.

Customers using affected versions of Windows operating systems are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations. Additional details relating to the Windows vulnerability, including affected products and recommended countermeasures, are provided herein.

VULNERABILITY DETAILS AND AFFECTED PRODUCTS

Customers should reference the Microsoft publication for details and list of affected products: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708.

RECOMMENDED USER ACTIONS

Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and vulnerability management program.

Customers using the affected operating systems are encouraged to evaluate and apply the Microsoft-provided patches at the earliest possible time. Rockwell Automation provides preliminary qualification for supported Microsoft operating systems. Customers can find the status of Rockwell Automation’s test results at any time by referencing its Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/qualifications.htm.

Customers who are unable to update should consider the alternative mitigations provided by Microsoft. Always refer to the Microsoft advisory for the most recent recommendations.

Disable the RDP service.
- Consider impact of blocking the RDP service on critical hosts and be prepared to execute this if the need arises.
Restrict RDP Traffic from untrusted networks (especially from external sources) if possible via a perimeter-based control such as firewall or IPS.
- Ports TCP/3389.
- Consider the impact of critical processes that require personnel to RDP into hosts before taking this action.
Establish and execute a proper backup and disaster recovery plan for their organization’s assets.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to its Product Security Incident Response FAQ document.

Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to its systems in the future. For more information and for assistance with assessing the state of security of their existing control system, including improving their system-level security when using Rockwell Automation and other vendor controls products, customers can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
20-MAY-2019	1.0	Initial release
15-AUG-2019	1.1	Update to title

Attachments

File

KB 1087194_v1.1.pdf

KCS Status

Released - Edited

Critical

PN950 | PN950 | Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Published Date:

May 13, 2019

Last Updated:

May 13, 2019

CVE IDs:

CVE-2016-9343

Products:

SoftLogix5800, RSLogix Emulate 5000 / Studio 5000 Logix Emulate

CVSS Scores:

10.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Logix5000 Programmable Automation Controller Denial of Service/Buffer Overflow Vulnerability

Description

Version 1.5 - May 13, 2019

A vulnerability exists in the Logix5000™ Programmable Automation Controller product line that, if successfully exploited, can either cause a Denial of Service ("DoS") or potentially allow an attacker to alter the operating state of the controller through a buffer overflow. Logix5000 is a product line of Programmable Automation Controllers used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; as well as automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting evaluations to help achieve completeness in its risk assessment and mitigation processes.

As of this announcement and to the knowledge of Rockwell Automation, there is no publicly available exploit code relating to this vulnerability.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply those mitigations that they deem applicable to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: Aug 21, 2018
New remediated firmware versions for the PowerFlex 700S drives with Phase II control with the embedded DriveLogix 5730 controller option installed have been released. See below for details.

AFFECTED PRODUCTS

UPDATE: Feb 13, 2017
Further internal investigation discovered that the DriveLogix™ platform is also affected by this vulnerability. DriveLogix is an embedded, high-performance Logix engine as a part of a PowerFlex® 700S drive solution, specifically for the PowerFlex 700S Drives with Phase II Control. Affected versions of DriveLogix, as well as mitigations to deploy for affected customers, are provided as below.

The affected firmware versions are listed, followed by a list of the products that utilize the affected firmware.

Note: Firmware versions (for all products) prior to Firmware Revision Number ("FRN ") 16.00 are not affected by this vulnerability.

FRN 16.00
- 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (V16.020 through V16.022)
- ControlLogix® 5560 controllers (V16.020 thru V16.022)
- ControlLogix L55 controllers (V16.020 thru V16.022)
- ControlLogix 5560 Redundant controllers (All Versions)
- GuardLogix® 5560 controllers (All Versions)
- FlexLogix™ L34 controllers (All Versions)
- 1769 CompactLogix™ L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (V16.020 thru V16.023)
- 1768 CompactLogix L4x controllers (V16.020 thru V16.025)
FRN 17.00
- 13-FEB-2017 Update: PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed (v17.003 and v17.004)
- SoftLogix™ 5800 controllers (All Versions)
- ControlLogix 5560 controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
FRN 18.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix™ Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (All Versions)
- ControlLogix 5570 controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
- 1768 Compact GuardLogix L4xS (All Versions)
FRN 19.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (All Versions)
- ControlLogix 5570 controllers (All Versions)
- ControlLogix 5560 Redundant controllers (All Versions)
- GuardLogix 5560 controllers (All Versions)
- 1769 CompactLogix L23x controllers (All Versions)
- 1769 CompactLogix L3x controllers (All Versions)
- 1768 CompactLogix L4x controllers (All Versions)
- 1768 Compact GuardLogix® L4xS controllers (All Versions)
FRN 20.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5560 controllers (V20.010 thru V20.013)
- ControlLogix 5570 controllers (V20.010 thru V20.013)
- ControlLogix 5560 Redundant controllers (V20.050 thru V20.055)
- ControlLogix 5570 Redundant controllers (V20.050 thru V20.055)
- GuardLogix 5560 controllers (V20.010 thru V20.017)
- GuardLogix 5570 controllers (V20.010 thru V20.017)
- 1769 CompactLogix L23x controllers (V20.010 thru V20.013)
- 1769 CompactLogix L3x controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L1 controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L2 controllers (V20.010 thru V20.013)
- 1769 CompactLogix 5370 L3 controllers (V20.010 thru V20.013)
- 1768 CompactLogix L4x controllers (V20.011 thru V20.016)
- 1768 Compact GuardLogix L4xS controllers (V20.011 thru V20.013)
FRN 21.00
- SoftLogix 5800 controllers (All Versions)
- RSLogix Emulate 5000 (All Versions)
- ControlLogix 5570 controllers (All Versions)
- ControlLogix 5570 Redundant controllers (All Versions)
- GuardLogix 5570 controllers (All Versions)
- 1769 CompactLogix 5370 L1 controllers (All Versions)
- 1769 CompactLogix 5370 L2 controllers (All Versions)
- 1769 CompactLogix 5370 L3 controllers (All Versions)

The products above are affected in the corresponding versions of firmware. Check the Updates/Risk Mitigations section below to verify that all functional versions of firmware include the latest security updates for this vulnerability in the event one of the aforementioned products is being used with a version of firmware that is not listed herein.

VULNERABILITY DETAILS

This vulnerability may allow an attacker to intentionally send a specific malformed Common Industrial Protocol ("CIP") packet to the product and cause a Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service ("DoS") condition. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the attacker to alter the operating state of the controller. This vulnerability is remotely exploitable. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place.

CVE-2016-9343 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/.

RISK MITIGATIONS

Customers using affected controllers are encouraged to upgrade to an available firmware version that addresses the associated risk.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below, are similarly recommended. Employ multiple strategies when possible.

Update supported products based on this table:

Type of Controller	Product Family	Catalog Numbers	Remediated Versions
Embedded Controller Option with PowerFlex 700S	DriveLogix 5730	Catalog numbers beginning with 20D with a "K" or "L" in the 17^th position For more information about these catalog numbers, see page 10 of the PowerFlex 700S Drives with Phase II Control Technical Data document	V16.23 V17.05
Soft Controller	SoftLogix 5800	1789-Lx	V23: FRN 23.00 or later
Software (used by ControlLogix)	RSLogix Emulate 5000	9310-Wx	V23: FRN 23.00 or later
Standard Controllers	ControlLogix L55	1756-L55x	V16: FRN 16.023 or later
Standard Controllers	ControlLogix 5560	1756-L6	V16: FRN 16.023 or later V20: FRN 20.014 or later
Standard Controllers	ControlLogix 5570	1756-L7	V20: FRN 20.014 or later V23: FRN 23.012 or later V24 or later
Standard Controllers (Redundant)	ControlLogix 5560	1756-L6	V20: FRN 20.056 or later
Standard Controllers (Redundant)	ControlLogix 5570	1756-L7	V20: FRN 20.056 or later V24: FRN 24.052 or later
Small Controllers	CompactLogix L23x CompactLogix L3x	1769-L23, 1769-L31, 1769-L32, 1769-L35	V20: FRN 20.014 or later
Small Controllers	CompactLogix 5370 L1 CompactLogix 5370 L2 CompactLogix 5370 L3	1769-L1, 1769-L2, 1769-L3	V20: FRN 20.014 or later V23: FRN 23.012 or later V24 or later
Small Controllers	CompactLogix L4x	1768-L4x	V16: FRN 16.026 (Series A, B, C) FRN 16.027 or later (Series D) V20: FRN 20.014 or later (Series A, B, C) FRN 20.016 or later (Series D)
Safety Controllers	GuardLogix L4xS	1768-L4xS	V20: FRN 20.018 or later
Safety Controllers	GuardLogix 5560	1756-L6S	V20: FRN 20.018 or later
Safety Controllers	GuardLogix 5570	1756-L7S	V20: FRN 20.018 or later V23: FRN 23.012 or later V24 or later

Note: Customers using affected versions of FlexLogix, which is a discontinued product, are urged to contact their local distributor or Sales Office in order to upgrade to newer product lines that contain the relevant mitigations.

Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances.
When possible, keep the controller in RUN mode rather than Remote RUN or Remote Program mode in order to prevent other disruptive changes to your system.
Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
05-DEC-2016	1.0	Initial release.
16-DEC-2016	1.1	Added details to indicate this is a CIP based packet and added mitigations for CIP networks.
04-JAN-2017	1.2	Clarified CompactLogix L4x and GuardLogix L4xS V20 affected versions, and added remediated GuardLogix L4xS version.
13-FEB-2017	1.3	Added details for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.
21-AUG-2018	1.4	Added remediated versions of Firmware for PowerFlex 700S drives with Phase II control and the embedded DriveLogix 5730 controller option installed.
13-MAY-2019	1.5	Fixed broken links and added RA contact information.

Attachments

File

KB970074_1.5.pdf

KCS Status

Released

High

PN1040 | PN1040 | CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities

Published Date:

April 30, 2019

Last Updated:

April 30, 2019

CVE IDs:

CVE-2019-10952, CVE-2019-10954

Products:

CompactLogix 5370

CVSS Scores:

8.6, 5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - April 30, 2019

Introduction

CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities

Executive Summary

CompactLogix 5370 Programmable Automation Controllers Denial of Service Vulnerabilities

Detailed Information

Rockwell Automation received two reports about potential vulnerabilities affecting versions of CompactLogix™ 5370 Programmable Automation Controllers. A successful exploitation of one of these potential vulnerabilities could result in a Denial of Service ("DoS") condition to the web portal of the affected device. A successful exploitation of the second vulnerability could potentially result in a DoS to the controller where it enters a major non-recoverable fault ("MNRF"). A MNRF is considered a safe state. Further details about MNRFs can be found in the vulnerability details section.

Customers using the affected products are strongly encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended security guidelines, are provided herein.

At the time of this writing, the Rockwell Automation® Product Security Incident Response Team ("PSIRT") is unaware of any active exploitation of these potential vulnerabilities.

Affected Products

CompactLogix 5370 L1 controllers, versions 20 to 30 and earlier
CompactLogix 5370 L2 controllers, versions 20 to 30 and earlier
CompactLogix 5370 L3 controllers, versions 20 to 30 and earlier
Compact GuardLogix® 5370 controllers, versions 20 to 30 and earlier
Armor™ Compact GuardLogix 5370 controllers, versions 20 to 30 and earlier

Vulnerability Details

About Major Non-Recoverable Faults ("MNRFs")
If a MNRF occurs in a CompactLogix controller, all I/O modules will transition to their configured fault state (for example Hold Last State). Memory will be marked as invalid and cleared. It is important to note that the memory clear is controlled and intentional, as the controller has determined internally that something is wrong and cannot guarantee continued safe controller execution. As a result, the controller goes into a Major Non-Recoverable Faulted state, which is considered safe. Recovery requires that you download the application program again.

Vulnerability #1: Email Object Stack Overflow Denial of Service
Rockwell Automation received a report describing a vulnerability where a remote, unauthenticated threat actor could send crafted SMTP configuration packets to port 44818 potentially causing a Denial of Service condition, where the controller enters a major non-recoverable faulted state ("MNRF").

CVE-2019-10954 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Web Portal Denial of Service
Younes Dragoni of Nozomi Networks discovered a Denial of Service vulnerability in the web server of CompactLogix 5370 PLCs. By sending specific requests to the web server, a remote, unauthenticated threat actor could potentially force the web server to become unreachable, potentially preventing the user from gaining web access to view live controller data. A reset of the device is required to recover the web server. The control functions of the product are not affected by this vulnerability.

CVE-2019-10952 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Risk Mitigation & User Action

Rockwell Automation strongly recommends that customers use the latest available version of firmware to keep up to date with the latest features, anomaly fixes, and security improvements. Update to a version of firmware as listed below that mitigates the associated risk:

Product Family	Actions	Notes
CompactLogix 5370	Apply FRN 31.011 or later	Download
Compact GuardLogix 5370	Apply FRN 31.011 or later	Download
Armor Compact GuardLogix 5370	Apply FRN 31.011 or later;	Download

For EtherNet/IP™ based vulnerabilities, block all traffic to from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
1. Stratix® switch users can use Device Manager or Studio 5000 Logix Designer® software to configure access control lists (ACL) to block/restrict ports. See section "Access Control Lists" in Stratix Managed Switches User Manual, publication 1783-UM007, for detailed instructions.
Utilize proper network infrastructure controls, such as firewalls, to help ensure that SMTP packets from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware key-switch setting, to which may be used to block unauthorized changes, etc.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (secure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Attachments

File

KB 1075979_v1.0.pdf

High

PN1068 | PN1068 | Open Redirect Vulnerability MicroLogix, CompactLogix 5370 Controllers

Published Date:

April 23, 2019

Last Updated:

April 23, 2019

CVE IDs:

CVE-2019-10955

Products:

Compact Logix 5370, MicroLogix

CVSS Scores:

7.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Open Redirect Vulnerability MicroLogix, CompactLogix 5370 Controllers

Description

Version 1.0 – April 23, 2019

Rockwell Automation received a report from ICS-CERT regarding an open redirect vulnerability in the web server of certain small Programmable Logic Controllers (PLCs) that, if successfully exploited, could allow a threat actor to inject arbitrary web content into the affected device’s web pages. Affected product families include CompactLogix^™ 5370 controllers and MicroLogix^™ controllers.

Customers using affected versions of this firmware are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers

Series B, v15.002 and earlier
Series A, All Versions

MicroLogix 1100 Controllers

v14.00 and earlier

CompactLogix 5370 L1 controllers

v30.014 and earlier

CompactLogix 5370 L2 controllers

v30.014 and earlier

CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix^® controllers)

V30.014 and earlier

VULNERABILITY DETAILS

These devices contain a web server that accepts user inputs via web interface. A remote, unauthenticated threat actor could utilize this function in conjunction with a social engineering attack to redirect the user from the affected controller’s web server to a malicious website of the threat actor’s choosing. This malicious website could potentially run or download arbitrary malware on the user’s machine. The target of this type of attack is not the industrial control device and does not disrupt its control functionality.

CVE-2019-10955 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and update to the latest available firmware revision that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below and are encouraged, when possible, to combine these strategies with the general security guidelines to employ multiple strategies simultaneously.

Product	Catalog Numbers	Suggested Actions
MicroLogix 1400 controllers, Series A	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	No direct mitigation provided. Affected users may disable the web server altogether by changing the HTTP setting from Enabled to Disabled using the LCD. See the 1766-UM001M-EN-P MicroLogix 1400 Programmable Controllers User Manual for more information
MicroLogix 1400 controllers, Series B	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Apply FRN 15.003 or later for MicroLogix 1400 Series B devices (Download) Affected users may disable the web server altogether by changing the HTTP setting from Enabled to Disabled using the LCD. See the 1766-UM001M-EN-P MicroLogix 1400 Programmable Controllers User Manual for more information
MicroLogix 1100 controllers	1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD	Apply FRN 15.000 or later (Download) Affected users may disable the web server altogether by unchecking the "HTTP Server Enable" checkbox in the Channel 1 configuration.
CompactLogix 5370 L1 controllers	1769-L16ER-BB1B 1769-L18ER-BB1B 1769-L18ERM-BB1B 1769-L19ER-BB1B	Apply v31.011 or later (Download)
CompactLogix 5370 L2 controllers	1769-L24ER-QB1B 1769-L24ER-QBFC1B 1769-L27ERM-QBFC1B	Apply v31.011 or later (Download)
CompactLogix 5370 L3 controllers (includes CompactLogix GuardLogix controllers)	1769-L30ER 1769-L30ER - NSE 1769-L30ERM 1769-L30ERMS 1769-L33ER 1769-L33ERM 1769-L33ERMS 1769-L36ERM 1769-L36ERMS 1769-L37ERMO 1769-L37ERMOS	Apply v31.011 or later (Download)

GENERAL SECURITY GUIDELINES

Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

Attachments

File

KB 1086288_v1.0.pdf

KCS Status

Released - Edited

Medium

PN1044 | PN1044 | Stratix 5400/5410/5700 Device Reload Vulnerability

Published Date:

April 04, 2019

Last Updated:

April 04, 2019

CVE IDs:

CVE-2018-15377

Products:

Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

6.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5400/5410/5700 Device Reload Vulnerability

Description

Version 1.0 - April 4, 2019

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This publication includes seven security advisories. One of these vulnerabilities affects the four Allen-Bradley® Stratix® and ArmorStratix™ products, which are listed in the Affected Products section below.

AFFECTED PRODUCTS

Allen-Bradley Stratix 5400 Industrial Ethernet Switches - all versions PRIOR to 15.2(6)E2a
Allen-Bradley Stratix 5410 Industrial Distribution Switches - all versions PRIOR to 15.2(6)E2a
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - all versions PRIOR to 15.2(6)E2a
Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - all versions PRIOR to 15.2(6)E2a

VULNERABILITY DETAILS

Software Plug and Play Agent Memory Leak Vulnerability
A vulnerability in the Cisco Network Plug and Play agent, also referred to as the Cisco Open Plug-n-Play agent, of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak on an affected device.

The vulnerability is due to insufficient input validation by the affected software. An attacker could exploit this vulnerability by sending invalid data to the Cisco Network Plug and Play agent on an affected device. A successful exploit could allow the attacker to cause a memory leak on the affected device, which could cause the device to reload.

The product security disclosure from Cisco for their IOS and IOS XE software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-pnp-memleak.

CVE-2018-15377 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Family	Updates Available
Stratix 5400 Industrial Ethernet Switches	Apply FRN 15.2(6)E2a or later (Download)
Stratix 5410 Industrial Distribution Switches	Apply FRN 15.2(6)E2a or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches	Apply FRN 15.2(6)E2a or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches	Apply FRN 15.2(6)E2a or later (Download)

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
04-April-2019	1.0	Initial release

KCS Status

Released

High

PN1045 | PN1045 | Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities

Published Date:

April 04, 2019

Last Updated:

April 04, 2019

CVE IDs:

CVE-2018-0466, CVE-2018-0473, CVE-2018-15373, CVE-2018-0470, CVE-2018-0467

Products:

Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

7.5, 7.4, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5400/5410/5700/8000/8300 Denial of Service Vulnerabilities

Description

Version 1.0 - April 4, 2019

Cisco® released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included seven security advisories that affect Allen-Bradley® products. Five of these vulnerabilities affect the six Allen-Bradley Stratix® and ArmorStratix™ products listed in the Affected Products section below.

AFFECTED PRODUCTS

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches - all versions PRIOR to 15.2(4)EA7
Allen-Bradley Stratix 5400 Industrial Ethernet Switches - v15.2(6)E0a and earlier
Allen-Bradley Stratix 5410 Industrial Distribution Switches - v15.2(6)E0a and earlier
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches - v15.2(6)E0a and earlier
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches - v15.2(6)E0a and earlier
Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments - v15.2(6)E0a and earlier

VULNERABILITY DETAILS

Vulnerability #1: Open Shortest Path First (OSPF v3) Denial of Service
A vulnerability in the Open Shortest Path First version 3 (OSPFv3) implementation in Cisco IOS and IOS XE Software could allow an unauthenticated, adjacent attacker to cause an affected device to reload.

The vulnerability is due to incorrect handling of specific OSPFv3 packets. An attacker could exploit this vulnerability by sending crafted OSPFv3 Link-State Advertisements (LSA) to an affected device. An exploit could allow the attacker to cause an affected device to reload, leading to a denial of service (DoS) condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ospfv3-dos.

CVE-2018-0466 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #2: Hypertext Transfer Protocol (HTTP) Denial of Service
A vulnerability in the web framework of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a buffer overflow condition on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to the affected software improperly parsing malformed HTTP packets that are destined to a device. An attacker could exploit this vulnerability by sending a malformed HTTP packet to an affected device for processing. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-webdos.

CVE-2018-0470 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #3: Precision Time Protocol (PTP) Denial of Service
A vulnerability in the Precision Time Protocol (PTP) subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition of the Precision Time Protocol.

The vulnerability is due to insufficient processing of PTP packets. An attacker could exploit this vulnerability by sending a custom PTP packet to, or through, an affected device. A successful exploit could allow the attacker to cause a DoS condition for the PTP subsystem, resulting in time synchronization issues across the network.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ptp.

CVE-2018-0473 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/.

Vulnerability #4: IPv6 Hop-by-Hop Options Denial of Service
A vulnerability in the IPv6 processing code of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload.

The vulnerability is due to incorrect handling of specific IPv6 hop-by-hop options. An attacker could exploit this vulnerability by sending a malicious IPv6 packet to or through the affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-ipv6hbh.

CVE-2018-0467 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

Vulnerability #5: Software Cisco Discovery Protocol Denial of Service
A vulnerability in the implementation of Cisco Discovery Protocol functionality in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to exhaust memory on an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper memory handling by the affected software when the software processes high rates of Cisco Discovery Protocol packets that are sent to a device. An attacker could exploit this vulnerability by sending a high rate of Cisco Discovery Protocol packets to an affected device. A successful exploit could allow the attacker to exhaust memory on the affected device, resulting in a DoS condition.

The product security disclosure from Cisco for their IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180926-cdp-dos.

CVE-2018-15373 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected devices are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Product Family	Affected Versions	Updates Available
Stratix 5400 Industrial Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E2a or later (Download)
Stratix 5410 Industrial Distribution Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E2a or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E2a or later (Download)
Stratix 8300 Modular Managed Ethernet Switches	15.2(4a)EA5 and earlier	Apply FRN 15.2(4)EA7 or later (Download)
Stratix 8000 Modular Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E2a or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E2a or later (Download)

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that requests from unauthorized sources are blocked and the controls are isolated from the business network.
Consult the product documentation for specific features, such as access control lists and deep pack inspection, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used Rockwell Automation® products, see Knowledgebase Article ID 898270.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Keith Lester (klester@ra.rockwell.com).

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
04-April-2019	1.0	Initial release

KCS Status

Released

High

PN977 | PN977 | MicroLogix 1100 Controllers Malformed Packet Denial of Service

Published Date:

April 03, 2019

Last Updated:

April 03, 2019

CVE IDs:

CVE-2017-7924

Products:

MicroLogix 1100 Controllers

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1100 Controllers Malformed Packet Denial of Service

Description

Version 1.1 - April 3, 2019
Version 1.0 - May 18, 2017

A vulnerability exists in the MicroLogix™ 1100 controllers that, if successfully exploited, can cause a Denial of Service (DoS) condition. These controllers are used to control processes across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to this discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Micrologix 1000 Controllers
- 1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD

VULNERABILITY DETAILS

A remote, unauthenticated attacker could send a single, specially crafted Programmable Controller Communication Commands (PCCC) packet to the controller that could potentially cause the controller to enter a Denial of Service (DoS) condition. PCCC messages are supported on Serial as well as Ethernet communication ports. The vulnerability is due to improper handling of PCCC messages.

CVE-2017-7924 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed toward risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalog Numbers	Suggested Actions
Micrologix 1100	1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD	Apply FRN 16.0 or later (Downloads) CheckPoint Software Technologies has released intrusion prevention system ("IPS") rules that detect attempts to exploit this vulnerability. For details about these IPS rules, please see Check Point Advisory CPAI-2019-0399

GENERAL SECURITY GUIDELINES

Block all traffic to EtherNet/IP™ connected devices or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices that host them.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
18-MAY-2017	1.0	Initial Release
03-APR-2019	1.1	Updated with IPS rule from Check Point, CVE link

Attachments

File

KB 1047342_v1.1.pdf

KCS Status

Released

High

PN1043 | PN1043 | PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service

Published Date:

March 29, 2019

Last Updated:

February 04, 2025

CVE IDs:

CVE-2018-19282

Products:

PowerFlex 525 AC Drives

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Introduction

PowerFlex 525 AC Drives with Embedded EtherNet/IP Port Communication Denial of Service

Description

Version 1.1 - March 29, 2019
Version 1.0 – March 28, 2019

Rockwell Automation received a report from security researcher Nicholas Merle of Applied Risk regarding a communication disruption/Denial of Service vulnerability in the embedded Ethernet port of PowerFlex® 525 AC drives.

A firmware upgrade to the PowerFlex 525 drive corrects this vulnerability. We encourage affected customers to evaluate the mitigations provided below and apply the appropriate mitigations based on their deployed products. Additional details relating to the discovered vulnerability, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

PowerFlex 525 AC Drives with Embedded EtherNet/IP Port

Firmware revisions 5.001 and earlier

Note: The 25-COMM-E2P Dual-Port EtherNet/IP Adapter, sometimes used with the PowerFlex 525 AC Drive, is not affected by this vulnerability.

VULNERABILITY DETAILS

A remote, unauthenticated threat actor who gains access to the Ethernet network containing a PowerFlex 525 drive can repeatedly send specific CIP packets to an affected PowerFlex 525 drive. These repeated packets can result in resource exhaustion, denial of service, and/or memory corruption. The affected drive will also be in a state where new messages cannot be received by the drive over its embedded EtherNet/IP port, including over existing CIP explicit messaging connections. The resource exhaustion affects EtherNet/IP explicit messaging to the drive, including establishing new (or reestablishing lost) CIP I/O connections to the drive. However, existing CIP I/O connections to the drive will continue to operate normally. A manual reboot is required in order to restore the normal functioning of the device.

CVE-2018-19282 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected firmware revisions are encouraged to update to an available firmware revision that addresses the vulnerability. Customers who are unable to update their firmware are encouraged to employ one or more of the general security guidelines in the next section of this document.

Product Family

Catalog Numbers

Suggested Actions

PowerFlex 525 AC Drives with an Embedded EtherNet/IP Port.

Catalog numbers beginning with "25B-".

For more information about catalog numbers, see page 13 of the PowerFlex 520-Series Adjustable Frequency AC Drive User Manual.

Update to firmware revision 5.002 or later (Download).

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that CIP™ messages from unauthorized sources are blocked.
Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
If applicable, consult the product documentation for specific features, such as a hardware key-switch setting, which may be used to block unauthorized changes, etc.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet or the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the vulnerability handling process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing Rockwell Automation and Cisco validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
28-March-2019	1.0	Initial release
29-March-2019	1.1	Added additional publication links

Attachments

File

KB 1082684_v1.1.pdf

KCS Status

Released

Critical

PN1061 | PN1061 | RSLinx Classic Denial of Service/Remote Code Execution Vulnerability

Published Date:

March 04, 2019

Last Updated:

March 04, 2019

CVE IDs:

CVE-2019-6553

Products:

RSLinx Classic (Single Node

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSLinx Classic Denial of Service/Remote Code Execution Vulnerability

Description

Version 1.0 - March 04, 2019

Rockwell Automation received a report from Tenable regarding a potential vulnerability in versions of RSLinx® Classic software, which if successfully exploited, can cause memory corruption issues. A successful exploitation may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine.

RSLinx® Classic is a software solution that Allen-Bradley® Programmable Logic Controllers (PLCs) use to connect to a wide variety of software applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

RSLinx Classic, v4.10.00 and earlier

VULNERABILITY DETAILS

An input validation issue exists in a .dll file of RSLinx Classic where the data in a Forward Open service request is passed to a fixed size buffer. This buffer overflow may terminate the RSLinx.exe application causing a Denial of Service, and/or potentially allow the threat actor to remotely execute arbitrary code on the victim’s machine.

CVE-2019-6553 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned. This high CVSS score reflects the potential impact of a successful remote code execution scenario, where a threat actor is able to gain full control of the victim’s machine.

For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected software versions are encouraged to assess their level of risk and, if necessitated, update their software to an available revision that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update products according to this table:

Product Family	Catalog Numbers	Suggested Actions
RSLinx Classic	9355-WABx	Currently, software patches have been released to address the following versions of RSLinx Classic: V3.60 V3.70 V3.80 V3.81 V3.90 V4.00.01 V4.10 These patches can be found at Knowledgebase Article ID: 1084828

Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
1. Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
2. Note: In RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP™ traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® products, see Knowledgebase Article ID 898270.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
04-March-2019	1.0	Initial Release

Attachments

File

KB 1085038_v1.0.pdf

KCS Status

Released

Medium

PN1058 | PN1058 | EtherNet/IP Web Server Module SNMP Service Denial of Service

Published Date:

February 06, 2019

Last Updated:

February 06, 2019

CVE IDs:

CVE-2018-19016

Products:

Ethernet/IP Connected Products, 1756 ControlLogix I/O

CVSS Scores:

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

EtherNet/IP Web Server Module SNMP Service Denial of Service

Description

Version 1.1 - Feb 06, 2019
Version 1.0 - Feb 04, 2019

Rockwell Automation received a report from researchers at Tenable regarding a potential vulnerability which affects EtherNet/IP™ Web Server modules that, if successfully exploited, can allow a threat actor to deny communication with the Simple Network Management Protocol (SNMP) service until the device can be restarted.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply them appropriately to deployed products.

AFFECTED PRODUCTS

EtherNet/IP Web Server Modules

1756-EWEB (includes 1756-EWEBK), v5.001 and earlier

CompactLogix™ Controller EtherNet/IP Web Server Module

1768-EWEB, v2.005 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a crafted UDP packet to the affected product’s SNMP service. Improper handling of this crafted packet could result in a denial of service for SNMP; port 161 stops receiving messages until the device is power-cycled. The web UI may show that the service is running even if it is not available. The control functionality of the device is unaffected.

CVE-2018-19016 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed and, if necessary, contact their local distributor or Sales Office.

Product Family	Catalog Numbers	Suggested Actions
EtherNet/IP Web Server Module	1756-EWEB Series A, All Versions Series B, All Versions	Disable the SNMP service if not in use. See pg 28 of the EtherNet/IP Web Server Module User Manual. No direct mitigation provided. See NOTE: below for additional recommended actions
CompactLogix EtherNet/IP Web Server Module	1768-EWEB, All Versions	Disable the SNMP service if not in use. See pg 28 of the EtherNet/IP Web Server Module User Manual. No direct mitigation provided. See NOTE: below for additional recommended actions

NOTE: Customers are urged to evaluate their level of risk and, if necessary, contact their local distributor or Sales Office.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP messages from unauthorized sources are blocked.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the manufacturing zone by blocking or restricting access to UDP port 161 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
06-Feb-2019	1.1	ICS-CERT and Tenable Advisory links added
04-Feb-2019	1.0	Initial Release

Attachments

File

KB 1084268_v1.1.pdf

KCS Status

Released

High

PN1033 | PN1033 | FactoryTalk Services Platform Denial of Service

Published Date:

November 27, 2018

Last Updated:

November 27, 2018

CVE IDs:

CVE-2018-18981

Products:

FactoryTalk Services Platform, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk VantagePoint, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk View SE, FactoryTalk Historian SE, RSLinx Classic (Single Node, FactoryTalk Linx / RSLinx Enterprise, Studio 5000 View Designer, FactoryTalk AssetCentre, FactoryTalk ViewPoint

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Services Platform Denial of Service

Description

Version 1.0 - November 27, 2018

Rockwell Automation received a report detailing vulnerabilities in software components that are shared by products that utilize the FactoryTalk® Services Platform. These vulnerabilities, if successfully exploited, may result in diminished communication or complete communication loss (denial of service) to the products that utilize the targeted services. FactoryTalk Services Platform consists of a suite of services, which create a services-oriented architecture (SOA). The SOA enables real-time data sharing across a range of software applications used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

FactoryTalk Services Platform, v2.90 and earlier.

Note: This vulnerability is addressed in FactoryTalk Services Platform v3.00. Additional software patches and details are provided in the Risk Mitigations and Recommended User Actions section below.

Nearly all FactoryTalk software ships with FactoryTalk Services Platform. If you have a product from the following list, you may also be affected. If you are unsure of which FactoryTalk Services Platform version is installed on your machine, see Knowledgebase Article ID 25612 for additional details.

FactoryTalk AssetCentre
FactoryTalk Activation Manager
FactoryTalk Alarms & Events
FactoryTalk Batch
FactoryTalk eProcedure®
FactoryTalk Gateway
FactoryTalk Historian Site Edition (SE)
FactoryTalk Linx (formerly: RSLinx Enterprise)
FactoryTalk Metrics
FactoryTalk Transaction Manager
FactoryTalk VantagePoint®
FactoryTalk View Machine Edition (ME) (Studio Only - no impact to PanelView Plus products)
FactoryTalk View Site Edition (SE)
FactoryTalk ViewPoint SE
RSLinx® Classic
RSLogix 5000® (v20 Only) / Studio 5000 Logix Designer®
RSNetWorx™
Studio 5000 Architect®

VULNERABILITY DETAILS

A remote, unauthenticated threat actor could send numerous crafted packets the following service ports: 1332, 5241, 6543, and 4241, resulting in a growth in memory consumption that could lead to a partial or complete denial of service condition to products utilizing the targeted services until the process is restarted.

CVE-2018-18981 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of FactoryTalk Services Platform are encouraged to update to an available software version that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Currently Installed	Suggested Actions
FactoryTalk® Services Platform, v2.90 and earlier	Update FactoryTalk Services Platform to v3.00 and later (Download) For customers who are unable to update to V3.00, software patches have been released for the following versions: V2.74 V2.80 V2.81 V2.90 These patches can be found at Knowledgebase Article ID 1082055.

GENERAL SECURITY GUIDELINES

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Use trusted software, software patches, and anti-virus/anti-malware programs.
Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
27-Nov-2018	1.0	Initial Release

Attachments

File

KB-1074747_FTSP_v1.0.pdf

KCS Status

Released

High

PN1042 | PN1042 | MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service

Published Date:

November 06, 2018

Last Updated:

November 06, 2018

Products:

1756 ControlLogix I/O

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1400 Controllers, 1756 ControlLogix EtherNet/IP Communication Modules Denial of Service

Description

Version 1.0 - November 6, 2018

Rockwell Automation received a report from ICS-CERT regarding a vulnerability that exists in certain products that, if successfully exploited, can allow a threat actor to disrupt Ethernet communication by allowing Internet Protocol (IP) configuration changes to the affected device in the system. The affected products include MicroLogix™ 1400 controllers, and 1756 ControlLogix® Ethernet/IP Communications Modules.

These products currently adhere to the ODVA EtherNet/IP standard. We have addressed the risks exposed by this specific issue, and have taken additional action with ODVA to produce a standard that improves the security protocol utilized by industrial automation devices including those developed by Rockwell Automation.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details, including affected product versions and mitigation actions, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers

Series A, All Versions
Series B, v21.003 and earlier
Series C, v21.003 and earlier

1756 ControlLogix EtherNet/IP Communications Modules

1756-ENBT, All Versions
1756-EWEB
- Series A, All Versions
- Series B, All Versions
1756-EN2F
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
1756-EN2T
- Series A, All Versions
- Series B, All Versions
- Series C, All Versions
- Series D, v10.10 and earlier
1756-EN2TR
- Series A, All Versions
- Series B, All Versions
- Series C, v10.10 and earlier
1756-EN3TR
- Series A, All Versions
- Series B, v10.10 and earlier

VULNERABILITY DETAILS

An unauthenticated, remote threat actor could potentially send a CIP connection request to an affected device and, upon successful connection, send a new IP configuration to the affected device even if the controller in the system is set to Hard RUN mode. When the affected device accepts this new IP configuration, a loss of communication occurs between the device and the rest of the system. Reason being, the system traffic is still attempting to communicate with the device via the IP address that was overwritten.

Rockwell Automation evaluated the vulnerability using the common vulnerability scoring system ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected products are encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update their firmware are directed towards additional risk mitigation strategies provided below, and are encouraged when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalog Numbers	Suggested Actions
MicroLogix™ 1400 Controllers	1766-Lxxx, Series A	No direct mitigation provided. See NOTE: below for recommended actions.
MicroLogix™ 1400 Controllers	1766-Lxxx, Series B or C	1. Apply FRN 21.004 and later (Download) 2. Once the new FRN is applied, use the LCD Display to put the controller in RUN mode to prevent configuration changes. See the MicroLogix 1400 Programmable Controllers User Manual for details.
1756 EtherNet/IP Web Server Module	1756-EWEB, All Series	No direct mitigation provided. See NOTE: below for recommended actions.
1756 ControlLogix® EtherNet/IP Communications Modules	1756-ENBT, All Versions 1756-EN2F Series A, All versions Series B, All versions 1756-EN2T Series A, All Versions Series B, All Versions Series C, All Versions 1756-EN2TR Series A, All Versions Series B, All Versions 1756-EN3TR Series A	No direct mitigation provided. See NOTE: below for recommended actions.
1756 ControlLogix® EtherNet/IP Communications Modules	1756-EN2F, Series C 1756-EN2T, Series D 1756-EN2TR, Series C 1756-EN3TR, Series B	1. Apply FRN 11.001 and later (Download) 2. Once the new FRN is applied, enable Explicit Protected Mode. See the EtherNet/IP Network Configuration User Manual for details.

NOTE: Customers that are sent here from the Suggested Action column above are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP messages from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the operational zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
06-Nov-2018	1.0	Initial Release.

Attachments

File

KB-1081928_v1.0.pdf

KCS Status

Released

Medium

PN885 | PN885 | CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Published Date:

November 01, 2018

Last Updated:

November 01, 2018

CVE IDs:

CVE-2016-2279

Products:

1756 ControlLogix I/O

CVSS Scores:

6.1

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

CompactLogix™ and 1756 ControlLogix® Communication Modules Reflective Cross-Site Scripting (XSS) Vulnerability

Description

Version 1.2 - November 1, 2018

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley® CompactLogix™ controller platform. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the CompactLogix™ platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

2016-03-01 UPDATE v1.1: Rockwell Automation has identified additional products containing this vulnerability, and these products are listed below. See the Risk Mitigations section below for information on available product firmware updates.

2018-11-01 UPDATE v1.2: Rockwell Automation received a report from an external researcher identifying additional product families that contain this vulnerability. These products are listed below. Please see the Risk Mitigations section for information on available firmware updates that address these vulnerabilities.

AFFECTED PRODUCTS/TECHNOLOGIES

2016-03-01 UPDATE: Additional Products:

1769-L23E-QB1B, Version 20.018 and earlier (Will be discontinued in June 2016)
1769-L23E-QBFC1B, Version 20.018 and earlier (Will be discontinued in June 2016)

2018-11-01 UPDATE: Additional Products:

1756-EN2F
- Series A, All Versions
- Series B, All Versions
1756-EN2T
- Series A, All Versions
- Series B, All Versions
- Series C, All Versions
- Series D, Version 10.007 and earlier
1756-EN2TR
- Series A, All Versions
- Series B, All Versions
1756-EN3TR
- Series A, All Versions

1769-L16ER-BB1B, Version 27.011 and earlier
1769-L18ER-BB1B, Version 27.011 and earlier
1769-L18ERM-BB1B, Version 27.011 and earlier
1769-L24ER-QB1B, Version 27.011 and earlier
1769-L24ER-QBFC1B, Version 27.011 and earlier
1769-L27ERM-QBFC1B, Version 27.011 and earlier
1769-L30ER, Version 27.011 and earlier
1769-L30ERM, Version 27.011 and earlier
1769-L30ER-NSE, Version 27.011 and earlier
1769-L33ER, Version 27.011 and earlier
1769-L33ERM, Version 27.011 and earlier
1769-L36ERM, Version 27.011 and earlier

VULNERABILITY DETAILS

The vulnerability in the web application of the affected device allows an attacker to inject arbitrary JavaScript into an unsuspecting user’s web browser by a process known as Reflective Cross Site Scripting. The impact to the user’s automation system would be highly dependent on both the type of JavaScript exploit included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the Programmable Automation Controller or Communications module itself. Instead, they are vehicles to deliver an attack to the web browser.

A successful attack would not compromise the integrity of the device nor allow access to confidential information contained on it. On rare occasions, the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

CVE-2016-2279 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

RISK MITIGATIONS

The following table summarizes available mitigations for each affected product:
2018-11-01 UPDATE: Added 1756 ControlLogix Ethernet/IP Communications Modules

Platform	Catalog Number	Recommendation
1756 ControlLogix® EtherNet/IP Communications Modules	1756-ENBT, All Versions 1756-EN2F Series A, All versions Series B, All versions 1756-EN2T Series A, All Versions Series B, All Versions Series C, All Versions 1756-EN2TR Series A, All Versions Series B, All Versions 1756-EN3TR Series A	No direct mitigation provided. See NOTE: below for recommended actions.
1756 ControlLogix® EtherNet/IP Communications Modules	1756-EN2F, Series C 1756-EN2T, Series D 1756-EN2TR, Series C 1756-EN3TR, Series B	Apply FRN 10.010 or later (Download)
Small Controllers: CompactLogix™ 5370 L1 CompactLogix™ 5370 L2 CompactLogix™ 5370 L3	1769-L16XX 1769-L18XX 1769-L24XX 1769-L27XX 1769-L30XX 1769-L33XX 1769-L36XX	1. Apply FRN 28.011 or later (Download) 2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030
CompactLogix™ Packaged Controllers	1769-L23E-QB1B 1769-L23E-QBFC1B	Discontinued as of June 2016 1.1769-L23E-QB1B: Recommend Migration to 1769-L24ER-BB1B 1769-L23E-QBFC1B: Recommend Migration to 1769-L24ER-QBFC1B 2. Checkpoint has released the following Intrusion Prevention System ("IPS") definition to address this vulnerability: CPAI-2018-1030

NOTE: Customers using previous series of the affected 1756 EtherNet/IP catalog numbers are urged to assess their risk and, if necessary, contact their local distributor or Sales Office in order to upgrade to a newer product line that contains the relevant mitigations.

Do not click on or open URL links from untrusted sources.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Interne.
Locate control system networks and devices behind firewalls, and isolate them from the business network
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
03-SEP-2015	1.0	Initial Release
01-MAR-2016	1.1	Update: Additional Products
01-NOV-2018	1.2	Update: Additional Products and ISP Definition

Attachments

File

KB-731098_Update_v1.2.pdf

KCS Status

Released

PN1011 | PN1011 | Rockwell Automation Briefing on Meltdown and Spectre vulnerabilities.

Published Date:

October 01, 2018

Last Updated:

October 01, 2018

Products:

Third Party, Compliance / Audit Trail / Security, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, Raise Software, RSToolPak II, FactoryTalk View SE, Interface Manager, Reporting, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, Knowledge Documentation, RSPower, Entek, RSLogix Emulate 5, PBase, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, RSPowerTools, WSIntegrate, PID Logistics 500, RSMACC, FactoryTalk VantagePoint EMI, SoftLogix5800, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, 100/150 PCD, Connected Components Workbench, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, WINtelligent Quality, PID Logistics 5, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, ERP Integration Gateway, ECO, Historical Transfer, RS PMX CTM, RSTestStand, RSWorkbench, RSBizWare Line Performance, Production Management Client, RSLadder, Data, RMA, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, AI Emulate 5, Administration, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, PCO Software (6723), Reports (Out-of-box), FactoryTalk Batch, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Process Designer, WINtelligent Trend, RSPocketLogix, Other, Reports (Custom), 6200-PLC2, RSMailman, Automotive Suite , Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Rockwell Automation Briefing on "Meltdown" and "Spectre" vulnerabilities.

Description

Version 1.8 - October 1, 2018
Version 1.7 - February 14, 2018
Version 1.6 - February 6, 2018
Version 1.5 - February 2, 2018
Version 1.4 - January 26, 2018
Version 1.3 - January 23, 2018
Version 1.2 - January 18, 2018
Version 1.1 - January 10, 2018
Version 1.0 - January 8, 2018

On January 3, 2018, a set of new hardware kernel level vulnerabilities, named "Meltdown" and "Spectre", were announced by researchers. Both Spectre and Meltdown are vulnerabilities that affect modern microprocessors allowing malicious processes to access the contents of restricted memory and therefore affect multiple generations of Central Processing Units (CPUs).

Rockwell Automation is aware of these vulnerabilities and of how they could, if exploited, potentially impact our customers’ environments. Rockwell Automation is diligently working through the process of evaluating how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate third party microprocessors. Rockwell Automation will continue to provide updated information as soon as reliable performance tests are completed.

AFFECTED PRODUCTS

Rockwell Automation Products
Rockwell Automation is currently investigating its product portfolio in order to identify which of its products may be directly affected by the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation, and will update this advisory if necessary.

UPDATE: Oct 01, 2018

Rockwell Automation has released new BIOS for certain Industrial Environment Computers that address the Meltdown and Spectre vulnerabilities. See below for details.

UPDATE: Feb 06, 2018

As of this writing, Rockwell Automation has evaluated many of our product families. Depending on the products’ architectures, effects of the Meltdown and Spectre vulnerabilities may significantly vary. Below is more information on Rockwell Automation’s evaluation.

NOTE: Rockwell Automation may continue to evaluate additional products that we suspect to be affected and will update this advisory accordingly.

I. Rockwell Automation has concluded that the following Active or Active Mature products contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Please see Knowledgebase Article ID 1071234 for detailed information about which Rockwell Automation-qualified Microsoft patches to apply to your products based on the Windows Operating System in use. As BIOS updates become available, Rockwell Automation will continue to update this advisory. The products are as follows:

Product Family	Affected Versions	Bul. #
6181X Hazardous Location Computers	Series H, All Versions	Bul. 6181X
6181P Integrated Display Computers	Series F, All Versions	Bul. 6181P
6177R Non-Display Computers	Series C, All Versions	Bul. 6177R
VersaView® 5400 Industrial Computers	Series A, All Versions	Bul. 6200P
VersaView® 5200 ThinManager® Thin Clients	Series A, All Versions	Bul. 6200T

In addition, Rockwell Automation has also determined the following discontinued products are similarly affected. Customers with discontinued products are encouraged to contact their local distributor or Sales Office to discuss a migration path to Active product lines.

Product Family	Affected Versions	Bul. #
6181X Hazardous Location Computers	Series E, F, G, All Versions	Bul. 6181X
6181P Integrated Display Computers	Series A-E, All Versions	Bul. 6181P
6177R Non-Display Computers (750R & 1450R)	Series A, B, All Versions	Bul. 6177R
6155R/F Compact Non-Display Computers (200R)	All Versions	Bul. 6155R & Bul. 6155F
6180P Integrated Display Computer with Keypad (1200P & 1500P)	All Versions	Bul. 6180P
6180W VersaView Industrial Workstations (1200W & 1500W)	All Versions	Bul. 6180W
6181F Integrated Display Computer (NDM, 1200P, 1500P, 1700P)	All Versions	Bul. 6181F
6181H Integrated Display Computer (1500P)	All Versions	Bul. 6181H
6183H Hazardous Location Computer (1200P)	All Versions	Bul. 6183H

Please see the Microsoft Patch Qualification section below for additional mitigation strategies.

II. The following products are Active or Active Mature and contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. However, as a result of the product architecture, Rockwell Automation has concluded that the Meltdown and Spectre vulnerabilities do not pose a significant risk to these products:

Product Family	Affected Versions	Bul. #
ControlLogix® 5580 Controllers	All Versions	• 1756-L8
5069 CompactLogix™ 5380 Controllers	All Versions	• 5069-L3
5069 Compact I/O™ EtherNet/IP Adapters	All Versions	• 5069-AENTR • 5069-AEN2TR
5069 Compact I/O™ Modules	All Versions	• 5069-Ix • 5069-Ox
ControlLogix® EtherNet/IP Modules	All Versions	• 1756-EN2F, Series C • 1756-EN2T, Series D • 1756-EN2TP, Series A • 1756-EN2TR, Series C • 1756-EN2TRXT, Series C • 1756-EN2TSC, Series B • 1756-EN2TXT, Series D • 1756-EN2TK, Series D • 1756-EN2TRK, Series C
FactoryTalk® Analytics for Devices	All Versions	• 6200P-NS3C6
FactoryTalk® Historian Machine Edition (ME) Module	All Versions	• 1756-HIST
PowerFlex® 755T Drive Solutions	All Versions	• Bul. 20G
Kinetix® 5700 Modules (Single Axis, Double Axis)	All Versions	• 2198-Sxxx • 2198-Dxxx
PowerFlex® 750 Series EtherNet/IP Option Module - Dual Port	All Versions	• 20-750-ENETR
PowerFlex® 750 Series Safe Speed Monitor Option Module	All Versions	• 20-750-S1
PowerFlex® 527 Compact-Class AC Drives	All Versions	• Bul. 25C
PowerFlex® 753 Architecture-Class AC Drives	All Versions	• Bul. 20F
PowerFlex® 7000 Medium Voltage AC Drives	All Versions	• Catalogs 7000, 7000A, 7000L
PowerFlex® 6000 Medium Voltage AC Drives	All Versions	• Catalogs 6000, 6000U
PanelView™ 5310 Operator Interface Terminal	All Versions	• 2713P-xx
PanelView™ Plus 7 Standard	All Versions	• 2711P-XXXXXXXX8S
PanelView™ 5500	All Versions	• 2715-xx
PanelView™ Plus 7 Performance	All Versions	• 2711P-XXXXXXXX9P
PanelView™ Plus 6 400-600	All Versions	• 2711P-XXXX8 and 2711P-XXXX9 (where * is either 4 or 6)
PanelView™ Plus 6 Compact 400 and 600	All Versions	• 2711PC-X4XXXD8 • 2711PC-X6XXXD8
MobileView™	All Versions	• 2711T-B10I1N1 • 2711T-B10R1K1 • 2711T-B10R1M1 • 2711T-F10G1N1 • 2711T-T10G1N1 • 2711T-T10R1N1

III. Lastly, Rockwell Automation has concluded that the following products do not to contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Therefore these products are not affected by the reported vulnerabilities.

Product Family	Bul. #
ControlLogix® 5570 Controllers	• 1756-L7
GuardLogix® 5570 Controllers	• 1756-L7S
ControlLogix® 5560 Controllers	• 1756-L6
GuardLogix® 5560 Controllers	• 1756-L6S
ControlLogix® L55 Controllers	• 1756-L55x
CompactLogix™ 5370 L1, L2, L3	• 1769-L1 • 1769-L2 • 1769-L3
ControlLogix® EtherNet/IP Modules	• 1756-ENBT
ControlLogix® Web Server Modules	• 1756-EWEB
1769 CompactLogix™ L23x Controllers	• 1769-L23
1769 CompactLogix™ L3x Controllers	• 1769-L31 • 1769-L32 • 1769-L35
1768 CompactLogix™ L4x Controllers	• 1768-L4x
PanelView™ Plus 6 700-1500	• 2711P-XXXX8 and 2711P-XXXX9 (where * is either 7, 10, 12, or 15)
PanelView™ Plus 6 Compact 1000	• 2711PC-T10C4D8
Kinetix 5500 Servo Drives	• 2198-Hxxx
Stratix® 8000 Modular Managed Switches	• 1783-MS
Stratix® 8300 Modular Managed Switches	• 1783-RMS
Stratix® 5400 Industrial Ethernet Switches	• 1783-HMS
Stratix® 5410 Industrial Distribution Switches	• 1783-IMS
Stratix® 5700 Industrial Managed Ethernet Switches	• 1783-BMS
ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments	• 1783-ZMS
Stratix® 2500 Lightly Managed Switches	• 1783-LMS
Stratix® 5900 Services Router	• 1783-SRKIT
Stratix® 5950 Security Appliance	• 1783-SAD
Stratix® 5100 Wireless Access Point/Workgroup Bridge	• 1783-WAP
PowerFlex® 523 Compact-Class AC Drives	• Bul. 25A
PowerFlex® 525 Compact-Class AC Drives	• Bul. 25B
PowerFlex® 4M Compact-Class AC Drives	• Bul. 22F
PowerFlex® 40 Compact-Class AC Drives	• Bul. 22B
PowerFlex® 40P Compact-Class AC Drives	• Bul. 22B
PowerFlex® 400 Compact-Class AC Drives	• Bul. 22C
PowerFlex® 70 Architecture-Class AC Drives	• Bul. 20A
PowerFlex® 700 Architecture-Class AC Drives	• Bul. 20B
PowerFlex® 700L Architecture-Class AC Drives	• Bul. 20L
PowerFlex® 700S Architecture-Class AC Drives	• Bul. 20D
ArmorStart® Distributed Motor Controllers	• Bul. 280 • Bul. 281 • Bul. 283 • Bul. 284
ArmorStart® LT Distributed Motor Controller	• Bul. 290 • Bul. 291 • Bul. 294
ArmorStart® ST Motor Controllers: Safety and Standard Versions	• Bul. 281E • Bul. 284E
Mega DySC® Three-Phase Voltage Sag Correction System	• Bul. 1608M
Mini DySC® Single-Phase Voltage Sag Correction	• Bul. 1608N
ProDySC® Three-Phase Voltage Sag Correction	• Bul. 1608P

UPDATE: Oct 01, 2018

A new BIOS was released to address the Meltdown and Spectre vulnerabilities that affect these specific series for the following products:

Product Family	Bul. #	Series with new BIOS
6181X Hazardous Location Computers	Bul. 6181X	Series H, All Versions
6181P Integrated Display Computers	Bul. 6181P	Series F, All Versions
6177R Non-Display Computers	Bul. 6177R	Series C, All Versions

The new BIOS is available for download in the Product Compatibility and Download Center (PCDC). To find the new BIOS, search for each individual catalog number and go to the download page for the corresponding series listed above. Note that there is only one BIOS version available on PCDC under each of these products; this BIOS version that is available is the updated version that addresses the Meltdown and Spectre vulnerabilities.

UPDATE: Jan 10, 2018

Industrial Data Center (IDC)
Rockwell Automation is currently working with its software and hardware partners that make up the E1000, E2000 and E3000 Industrial Data Center (IDC) solution to obtain appropriate patches and updates to address the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation and provide updates in Knowledgebase Article ID 1071279. For IDC customers with a monitoring and administration contract, please contact Tech Support for assistance with this issue.

Microsoft Patch Qualification
Microsoft has released guidance for Windows Client and Windows Server Operating Systems. As of this writing, the Rockwell Automation MS Patch Qualification team is currently executing their validation processes on security updates related to the "Meltdown" and "Spectre" vulnerabilities. When these tests have been successfully completed, the test results will be made available through the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

UPDATE: Feb 14, 2018

Rockwell Automation evaluated the performance of FactoryTalk® View Site Edition and FactoryTalk® View Point actions on Windows systems updated with the Microsoft Meltdown and Spectre updates. Many factors are involved in affecting the performance of systems with these mitigations; these can include but are not limited to the CPU version, the age of the operating system, and the burden of the workload on the system. In addition to the performance data provided below, customers may also find the Microsoft blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems helpful, as it provides rough estimates on the performance impact as it relates to the class of CPU and the Windows operating system.

FactoryTalk View SE

Test Environment

Rockwell Automation:Test Setup Information
	Server Details	Client Details
OS	Windows Server 2008 R2 Standard SP1	Windows 7 Pro SP1
CPU	Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket	Intel E5-2699A v4 @ 2.4GHz, 1 socket, 4 cpus/socket
RAM	8GB	8GB
Tested Version	10.00.00.290	10.00.00.290
Microsoft Patches Installed	KB4056894: January Monthly Roll-up KB4056897: Security Only Update	KB4056894: January Monthly Roll-up KB4056897: Security Only Update

Test Results

Operating System	Test Case: Display Update Rate	Before Patch: Avg (seconds)	After Patch: Avg (seconds)	Change (%)
Windows 7 Pro SP1 x64	Load Display with 3000 numeric values (HMI tags)	1	1.1	10.000%
	Load Display with 3000 numeric values (Direct Reference tags)	1.4	1.2	-14.286%
	Load Display with 3000 animations	3	4.3	43.333%
	Download 3000 tags from recipe	17.9	23.5	31.285%
Windows 2008 R1 Std	Load Display with 3000 numeric values (HMI tags)	1.1	1.2	9.091%
	Load Display with 3000 numeric values (Direct Reference tags)	1.3	1.1	-15.385%
	Load Display with 3000 animations	3.3	4.4	33.333%
	Download 3000 tags from recipe	18.4	17.2	-6.522%

FactoryTalk ViewPoint

Test Environment

Rockwell Automation:Test Setup Information
	Server Details	Client Details
OS	Windows Server 2008 R2 Standard SP1 64-bit	Windows 7 Enterprise SP1 64-bit
CPU	Intel Xeon CPU E5-1607 v3 @3.10GHz	Intel Core i3-4150 CPU @3.50GHz
RAM	8GB	4GB
Browser	N/A	Chrome v63.0.3239.84
Tested Version	10.00.00.290	10.00.00.290
Microsoft Patches Installed	KB4056894: January Monthly Roll-up KB4056897: Security Only Update	KB4056894: January Monthly Roll-up KB4056897: Security Only Update

Test Results

Overview: Test Case	Details	Before Patch: Avg (seconds)	After Patch: Avg (seconds)	Change (%)
Switching displays, recording loading time for each display	Overview Display	2.78	2.85	2.518%
	Image Heavy Display	3.15	3.90	23.810%
	Data Heavy Display	2.18	2.51	15.138%
Recording 10,000 recipes downloading and refreshing time	Download 10,000 recipes	96.54	98.96	2.507%
Recording 10,000 recipes downloading and refreshing time	Refresh 10000 recipes	18.22	17.80	-2.305%
Color Animation Blinking Rate (Rate = 1 second)	Blink Rate (actual)	1.16	1.19	2.586%
Color Animation Blinking Rate (Rate = 0.5 second)	Blink Rate (actual)	0.71	0.77	8.451%
Recording time for 2000 Alarm Trigger	Recording Time for 2000 Alarm Trigger	10.38	10.57	1.830%
Rendering time for 1000 Tags	Rendering Time for 1000 Tags	2.29	2.45	6.987%

UPDATE: Feb 2, 2018

Knowledgebase Article ID 1071234 has been updated to include new patches for Windows 10 that have been qualified by the Rockwell Automation MS Patch Qualification team.

UPDATE: Jan 26, 2018

As of January 26, 2018, the Rockwell Automation MS Patch Qualification team has successfully qualified several Microsoft patches related to the "Meltdown" and "Spectre" vulnerabilities. For detailed and useful information about which qualified Microsoft patches to apply based on your Windows Operating System, please see Knowledgebase Article ID 1071234 under "Solution". Rockwell Automation will continue to test Microsoft patches related to "Meltdown" and "Spectre" and will update Knowledgebase Article ID 1071234 accordingly.

Note: Applying certain Microsoft patches released in early January have been found to cause anomalous behavior in several Rockwell software products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. If you have been experiencing software issues after installing a Microsoft update to patch "Meltdown" and "Spectre", and/or you would like to see a list of patches known to cause this irregular behavior, please see Knowledgebase Article ID 1071234.

Additionally, Rockwell Automation recommends:

Contact your PC/Server vendor for any associated firmware updates that may also be required to further reduce risk.
Before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, Knowledgebase Article ID 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring additional updates from both Microsoft and your PC/Server vendor(s).

GENERAL SECURITY GUIDELINES

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
01-Oct-2018	1.8	Update: Patches for Industrial PCs
14-Feb-2018	1.7	Update: FactoryTalk Software Performance Statistics
06-Feb-2018	1.6	Update: Affected Hardware Products Listed
02-Feb-2018	1.5	Update: Windows 10 Patch Qualification Information posted to Article ID 1071234.
26-Jan-2018	1.4	Update: Moved and clarified location for MS Patch Qualification details (Article ID 1071234).
23-Jan-2018	1.3	Update: Microsoft Patch Qualification for Windows 8.1, Windows Server 2012 R2 / Windows Server 2012 R2 SP1, and Windows Server 2016.
18-Jan-2018	1.2	Update: Microsoft Patch Qualification for Windows 7 and Windows Server 2008 R2.
10-Jan-2018	1.1	Update: Affected Products.
05-Jan-2018	1.0	Initial release.

KCS Status

Released

Critical

PN1037 | PN1037 | RSLinx Classic Heap and Buffer Overflow Vulnerabilities

Published Date:

September 20, 2018

Last Updated:

September 20, 2018

CVE IDs:

CVE-2018-14829, CVE-2018-14827, CVE-2018-14821

Products:

RSLinx Classic (Single Node

CVSS Scores:

7.5, 10.0, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSLinx Classic Heap and Buffer Overflow Vulnerabilities

Description

Version 1.0 - September 20, 2018

Rockwell Automation received reports regarding potential vulnerabilities in certain versions of RSLinx® Classic that, if successfully exploited, can cause memory corruption issues which may result in a crash of the software application (Denial of Service) or potentially allow the threat actor to execute arbitrary code on the target machine. One of these reports was received from Tenable, a cybersecurity software vendor. RSLinx® Classic is a software solution that allows Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a human machine interface (HMI).

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

RSLinx Classic, v4.00.01 and earlier

VULNERABILITY DETAILS

Rockwell Automation received these reports from Tenable, a cybersecurity software vendor, and ICS-CERT, . The report from Tenable contained details regarding Vulnerability #1 and Vulnerability #2. The report from ICS-CERT contained details regarding Vulnerability #3.

Vulnerability #1: Stack Overflow

This vulnerability may allow a remote threat actor to intentionally send a malformed CIP packet to port 44818, causing the software application to stop responding and crash. This vulnerability also has the potential to exploit a buffer overflow condition, which may allow the threat actor to remotely execute arbitrary code.

CVE-2018-14829 has been assigned to his vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10.0 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #2: Heap Overflow

This vulnerability may allow a remote, unauthenticated threat actor to intentionally send a malformed CIP packet to port 44818, causing the RSLinx Classic application to terminate. The user will need to manually restart the software to regain functionality.

CVE-2018-14821 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Vulnerability #3: Denial of Service

A remote, unauthenticated threat actor may intentionally send specially crafted Ethernet/IP packets to port 44818, causing the software application to stop responding and crash. The user must restart the software to regain functionality.

CVE-2018-14827 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update their software with an available patch that addresses the associated risk. Customers who are unable to implement a software patch are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update products according to this table:

Product Family	Catalog Numbers	Suggested Actions
RSLinx Classic	9355-WABx	Currently, software patches have been released to address the following versions of RSLinx Classic. V3.60 V3.74 V3.80 V3.81 V3.90 V4.00.01 These patches can be found at Knowledgebase Article ID 1075712.

Customers may disable port 44818 in RSLinx Classic if it is not utilized during system operation. To disable port 44818, go to Options in RSLinx Classic. Then in the General tab of the Options pop-up, uncheck the option "Accept UDP Messages on Ethernet Port".
1. Port 44818 is needed only when a user wants to utilize unsolicited messages. To check if you are using unsolicited messages, go to the "DDE/OPC" dropdown in RSLinx Classic. Select Topic Configuration and then go to the "Data Collection" tab in the Topic Configuration pop-up. The "Unsolicited Messages" checkbox is marked, then port 44818 is being used in your application.
2. Note: In the next release of RSLinx Classic 4.10 or later, "Accept UDP Messages on Ethernet Port" checkbox is unchecked by default.
3. Note: Applying the patch will not change the state of the "Accept UDP Messages on Ethernet Port" setting.

GENERAL SECURITY GUIDELINES

Utilize proper network infrastructure controls, such as firewalls, to help ensure that EtherNet/IP traffic from unauthorized sources are blocked.
Consult the product documentation for specific features, such as a hardware keyswitch setting, to which may be used to block unauthorized changes, etc.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
20-Sept-2018	1.0	Initial Release

Attachments

File

RSLinxClassicVulnerabilities_v1.pdf

KCS Status

Released

PN715 | PN715 | Advisory on web search tools that identify ICS devices and systems connected to the Internet

Published Date:

September 20, 2018

Last Updated:

September 20, 2018

Products:

Ethernet/IP Connected Products

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Advisory on web search tools that identify ICS devices and systems connected to the Internet

Description

Version 1.1 - September 20, 2018

SUMMARY

This Industrial Security Advisory is intended to raise the awareness to control system owners and operators of increased risks that stem from publicly-available web search tools that identify Internet-connected devices. These types of tools and search utilities can be used for legitimate research purposes; however, they also bear a potential for misuse by threat actors seeking to gather added intelligence about prospective cyber targets.

Rockwell Automation recognizes the potential risk to any device connected in a network that is accessible by unauthorized people, whether the device is isolated within a protected facility or if it is accessible through a remote connection, including the Internet. We are aware that such Internet search tools have the ability to identify Rockwell Automation branded products that are connected, either intentionally or unintentionally by the device owners to the Internet. For this reason, recommendations to mitigate associated risks are provided herein.

BACKGROUND

Web-based tools, including SHODAN and the Every Routable IP Project (ERIPP) provide a means for users to discover information about networked devices that are either knowingly or unknowingly connected to the Internet. Such connected products include, but are not limited to: web servers, routers, webcams, smart phones, VoIP phones, printers and in some cases industrial control products.

The information collected by these search tools about these Internet-facing devices includes device IP addresses and can also include geographic location (i.e. country, city and approximate latitude/longitude), specific product identity information or user-added descriptors that can be learned through device fingerprinting techniques. Some of these tools also provide a means to both search and filter databases for devices that match specific user-defined search criteria.

POTENTIAL RISK to INDUSTRIAL CONTROL DEVICES and SYSTEMS

Many devices cataloged by these search tools have been designed and installed with the full knowledge they are directly connected to the Internet; however, other devices identified by these tools were not intended by the manufacturer, or potentially the device installer to ever carry a direct connection.

As with all networked device and systems, industrial control systems are at risk of both accidental and potentially malicious attacks. The availability of search tools that simplify the process of locating and identifying devices unintentionally connected to the Internet raises associated risk to these devices and systems. It is evident based on the device information that some of these devices and accompanying systems lack recommended security protections facilitated by good security design and infrastructure-level appliances (e.g. firewalls, SIEMs, and intrusion detection systems).

As a consequence, these types of devices and systems may not operate with obscurity and may become exposed to additional unintended risks. Information provided through search tools could aid a curious individual or malicious threat actor in device-tampering activities or even a penetration into the product or connected system in order to facilitate a cyberattack.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Whether or not Internet-facing industrial control devices are identified by these tools, Rockwell Automation encourages all industrial control system (ICS) owners and operators to follow good security design practices.

https://www.rockwellautomation.com/en_NA/capabilities/industrial-networks/technical-data/overview.page?

These practices must also include careful evaluation and monitoring of all industrial control system connection points to an enterprise system and external remote access connections enabled via modems or direct connections to the Internet.

We recommend concerned customers remain vigilant and continue to follow sound security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest customers apply some of the following recommendations and complement this list with their own best-practices:

Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
Make sure that software and control system device firmware is patched to current releases.
Periodically change passwords in control system components and infrastructure devices.
Where applicable, set the controller key-switch/mode-switch to RUN mode.
Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
20-SEP-2018	1.1	Updated to fix broken links
18-JUL-2012	1.0	Initial Release

Attachments

File

KB494865 Shodan Awareness.pdf

KCS Status

Released

Critical

PN1018 | PN1018 | FactoryTalk Activation Manager Vulnerabilities

Published Date:

July 20, 2018

Last Updated:

July 20, 2018

CVE IDs:

CVE-2017-13754, CVE-2015-8277

Products:

FactoryTalk Transaction Manager, Logix Designer, RSNetWorx, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, FactoryTalk Linx Gateway, FactoryTalk Metrics, FactoryTalk EnergyMetrix, RSLinx Classic (Single Node, RSLogix 5, FactoryTalk Activation, Studio 5000 View Designer, Logix Emulate, FactoryTalk AssetCentre, FactoryTalk Historian SE, RSLogix 500

CVSS Scores:

2.7, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Activation Manager Vulnerabilities

Description

Version 1.2 - July 20, 2018
Version 1.1 - May 29, 2018
Version 1.0 - April 12, 2018

Two vulnerabilities were discovered in components distributed with every installation of FactoryTalk® Activation Manager. FactoryTalk Activation Manager enables customers to manage licensed content and activate Rockwell software products. One vulnerability exists in certain versions of Wibu-Systems CodeMeter; the second vulnerability is in certain versions of Flexera Software FlexNet Publisher, both are license management software.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and include the applicable mitigations in their deployed products. Additional details relating to the vulnerability, including affected products and recommended countermeasures, are provided herein.

UPDATE: July 20, 2018
Cisco has released several Snort Rules to addressing the Flexera software vulnerability. See the Risk Mitigations and Recommended User Actions section for more details.

AFFECTED PRODUCTS

FactoryTalk Activation Manager v4.00.02 and v4.01

Includes Wibu-Systems CodeMeter v6.50b and earlier

FactoryTalk Activation Manager v4.00.02 and earlier

Includes FlexNet Publisher v11.11.1.1 and earlier

The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. Customers who recognize products from the following list are using FactoryTalk Activation Manager.

Arena®
Emonitor®
FactoryTalk® AssetCentre
FactoryTalk® Batch
FactoryTalk® EnergyMetrix™
FactoryTalk® eProcedure®
FactoryTalk® Gateway
FactoryTalk® Historian Site Edition (SE)
FactoryTalk® Historian Classic
FactoryTalk® Information Server
FactoryTalk® Metrics
FactoryTalk® Transaction Manager
FactoryTalk® VantagePoint®
FactoryTalk® View Machine Edition (ME)
FactoryTalk® View Site Edition (SE)
FactoryTalk® ViewPoint
RSFieldBus™
RSLinx® Classic
RSLogix 500®
RSLogix 5000®
RSLogix™ 5
RSLogix™ Emulate 5000
RSNetWorx™
RSView®32
SoftLogix™ 5800
Studio 5000 Architect®
Studio 5000 Logix Designer®
Studio 5000 View Designer®
Studio 5000® Logix Emulate™

VULNERABILITY DETAILS

Vulnerability #1: CodeMeter Cross-Site Scripting
A Cross-Site Scripting ("XSS") vulnerability was found in certain versions of Wibu-Systems CodeMeter that may allow local attackers to inject arbitrary web script or HTML via a specific field in a configuration file, potentially allowing the attacker to access sensitive information, or even rewrite the content of the HTML page.

CVE-2017-13754 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 2.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:N0/I:L/A:N

Vulnerability #2: FlexNet Publisher Remote Code Execution
A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow.

CVE-2015-8277 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers with affected versions of CodeMeter and/or FlexNet Publisher that were installed with FactoryTalk Activation Manager are encouraged to review the table below for suggested actions that will address the risks associated with these vulnerabilities.

Currently Installed

Suggested Actions

FactoryTalk Activation Manager v4.01 and earlier

Update FactoryTalk Activation Manager to V4.02 and later.

If unable to update FactoryTalk Activation Manager to V4.02, update CodeMeter to the latest version of CodeMeter that is compatible with FactoryTalk Activation Manager.

For compatibility details about FactoryTalk Activation Manager, customers can consult the Product Compatibilty and Download Center (PCDC) Standard Views > Software Latest Versions > FactoryTalk Activation.

UPDATE: July 20, 2018
The following Snort rules can be applied to compatible IDS/IPS platforms to help mitigate the associated risk with the FlexNet Publisher vulnerability in FactoryTalk Activation:

Cisco has released Snort Rule 38246, Snort Rule 38247.
Cisco has released Snort Rule 39910.

Customers are encouraged, when possible, to combine the updates above with these general security guidelines to employ multiple strategies simultaneously.

GENERAL SECURITY GUIDELINES

Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index
Wibu Systems AG CodeMeter 6.50b - Persistent XSS Vulnerability (From SecurityFocus)
Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability (From the Vulnerability Notes Database)
ICS-CERT Advisory (ICSA-18-102-02) Rockwell Automation FactoryTalk Activation Manager

REVISION HISTORY

Date	Version	Details
20-July-2018	1.2	Added Snort Rules for FlexNet Publisher
29-May-2018	1.1	ICS-CERT Advisory Link Added
12-Apr-2018	1.0	Initial Release

Attachments

File

KB-1073133_FTA_v1.2.pdf

KCS Status

Released

High

PN1026 | PN1026 | RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path

Published Date:

June 07, 2018

Last Updated:

June 07, 2018

CVE IDs:

CVE-2018-10619

Products:

FactoryTalk Linx Gateway, RSLinx Classic (Single Node

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSLinx Classic and FactoryTalk Linx Gateway Privilege Escalation through Unquoted Service Path

Description

Version 1.0 - June 07, 2018

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Rockwell Automation® received a report from Gjoko Krstic of Zero Science Lab that certain versions of RSLinx® Classic and FactoryTalk® Linx™ Gateway (previously known as FactoryTalk Gateway) are potentially susceptible to this vulnerability. RSLinx Classic is two software solutions that allow Logix5000™ Programmable Automation Controllers to connect to a wide variety of Rockwell Software® applications, ranging from programming, data acquisition, configuration applications as well as those that interact with a Human-Machine Interface (HMI). FactoryTalk Linx Gateway is software that provides an OPC UA server interface to allow the delivery of information from Rockwell Software applications to Allen-Bradley controllers.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. For previous versions of this software, a series of steps to mitigate this vulnerability have been provided. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS

RSLinx Classic, V3.90.01 and earlier
FactoryTalk Linx Gateway, V3.90.00 and earlier

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged local user to execute arbitrary code of the threat actor’s choosing on the affected workstation. This vulnerability could also potentially allow a threat actor to escalate user privileges on the affected workstation. A well-defined service path enables Windows to easily find the path to a service by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and the threat actor could drop a malicious executable once an unquoted service path is discovered.

CVE-2018-10619 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected versions of RSLinx Classic, FactoryTalk Linx and/or FactoryTalk Gateway OPC are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family	Catalog Numbers	Suggested Actions
RSLinx Classic	9355-WABx	Update to v4.00.01 or later (Download)
FactoryTalk Linx Gateway	9355-LNXGWxxxENx 9355-OPDxxxxLENx 9355-OPDxxxxENx	Update to FactoryTalk Linx Gateway v6.00.00 or later (Download)

If unable to upgrade to the latest version visit Knowledgebase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and describes the process of implementing these edits.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https:rockwellautomation.custhelp.comappanswersdetaila_id546989.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

GENERAL SECURITY GUIDELINES

Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
07-June-2018	1.0	Initial release.

KCS Status

Released

Medium

PN1024 | PN1024 | Arena Simulation Software Denial of Service

Published Date:

May 10, 2018

Last Updated:

May 10, 2018

Products:

Arena

CVSS Scores:

5.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Arena Simulation Software Denial of Service

Description

Version 1.0 – May 10, 2018

Rockwell Automation received a report from Ariele Caltabiano at Zero Day Initiative regarding a potential vulnerability in certain versions of Arena® Simulation Software for Manufacturing that, if successfully exploited, can cause a crash of the software application (Denial of Service) and cause a user to potentially lose unsaved data. Arena is a simulation software that helps customers analyze business ideas, rules, and strategies before real-life implementation in their business and control systems.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and implement the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Arena Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 15.10.00 and earlier

VULNERABILITY DETAILS

If a maliciously crafted Arena file (meaning the content of the file is invalid, unexpected, and/or random) is sent to an unsuspecting victim who is tricked (via social-engineering techniques) into opening the file in Arena, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena to continue use.

Note: There are also valid reasons why a file may not open in Arena. To learn more about these circumstances, please see Article ID 1073702.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 5.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

RISK MITIGATIONS AND RECOMMENDED USER ACTIONS

Customers using the affected versions of Arena are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

Customers using Arena v15.00.00 or earlier are encouraged to update Arena to v15.10.01 or later (Download).
Do not open untrusted .doe files with Arena Simulation Software.
Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index

REVISION HISTORY

Date	Version	Details
10-May-2018	1.0	Initial release.

KCS Status

Released

Critical

PN1019 | PN1019 | Stratix 5400/5410/5700/8000 Denial of Service and Remote Code Execution Vulnerabilities

Published Date:

April 16, 2018

Last Updated:

April 16, 2018

CVE IDs:

CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0158, CVE-2018-0156

Products:

ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

8.8, 9.8, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5400/5410/5700/8000 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

Allen-Bradley Stratix 5400 Industrial Ethernet Switches, versions 15.2(6)E0a and earlier
Allen-Bradley Stratix 5410 Industrial Distribution Switches, versions 15.2(6)E0a and earlier
Allen-Bradley Stratix 5700 Industrial Managed Ethernet Switches, versions 15.2(6)E0a and earlier
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches, versions 15.2(6)E0a and earlier
Allen-Bradley ArmorStratix 5700 Industrial Managed Ethernet Switches for extreme environments, versions 15.2(6)E0a and earlier

Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.

VULNERABILITY DETAILS

Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

Triggering a reload of the device
Allowing the attacker to execute arbitrary code on the device
Causing an indefinite loop on the affected device that triggers a watchdog crash

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.

CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.

CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.

CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.

CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #6: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.

CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

Update the affected products per the table below:

Product Family	Affected Versions	Updates Available
Stratix 5400 Industrial Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E1 or later (Download)
Stratix 5410 Industrial Distribution Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E1 or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E1 or later (Download)
Stratix 8000 Modular Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E1 or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches	15.2(6)E0a and earlier	Apply FRN 15.2(6)E1 or later (Download)

Cisco has offered additional information and mitigations for these vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.

Vulnerability	Workaround (if available)	Other Notes
#1: Smart Install Remote Code Execution Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46096 and Snort Rule 46097. See "Smart Install Notes" below for additional Smart Install information/recommendations.
#2: Smart Install Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 41725. See "Smart Install Notes" below for additional Smart Install information/recommendations.
#3: DHCP Version 4 Relay Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46120.
#4: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46104.
#5: DHCP Version 4 Relay Reply Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46119.
#6: Internet Key Exchange Memory Leak Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46110.
#7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities	There are no workarounds that address this vulnerability.	N/A

Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):

Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.

GENERAL SECURITY GUIDELINES

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
16-Apr-2018	1.0	Initial Release

KCS Status

Released

Critical

PN1020 | PN1020 | Stratix 5900 Denial of Service and Remote Code Execution Vulnerabilities

Published Date:

April 16, 2018

Last Updated:

April 16, 2018

CVE IDs:

CVE-2018-0151, CVE-2018-0175, CVE-2018-0167, CVE-2018-0158

Products:

Stratix 5900 Services Router

CVSS Scores:

8.8, 9.8, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5900 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley® Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

Allen-Bradley Stratix 5900 Services Router, version 15.6.3M1 and earlier

VULNERABILITY DETAILS

Vulnerability #1: Internet Key Exchange Memory Leak Vulnerability
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a memory leak or a reload of an affected device that leads to a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of certain IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device to be processed. A successful exploit could cause an affected device to continuously consume memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-ike.

CVE-2018-0158 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Quality of Service Remote Code Execution Vulnerability
A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.

The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device. When the packets are processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code on the affected device with elevated privileges. The attacker could also leverage this vulnerability to cause the device to reload, causing a temporary DoS condition while the device is reloading.

The malicious packets must be destined to and processed by an affected device. Traffic transiting a device will not trigger the vulnerability.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-qos.

CVE-2018-0151 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.

Vulnerability	Workaround (if applicable)	Other Notes
#1: Internet Key Exchange Memory Leak Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46110.
#2: Quality of Service Remote Code Execution Vulnerability	Customers who do not use the Adaptive QoS for DMVPN feature can deny all traffic destined to UDP port 18999 on an affected device by using a Control Plane Policing (CoPP) policy similar to the following: ACL for CoPP Undesirable UDP class-map access-list 199 permit udp any any eq 18999 CoPP Undesirable UDP class-map class-map match-all undesirable-udp match access-group 199 Undesirable UDP Policy Map policy-map drop-udp class undesirable-udp drop Apply Undesirable UDP policy Map control-plane service-policy input drop-udp If the Adaptive QoS for DMVPN feature is later configured, the device must be upgraded to an unaffected release of Cisco IOS Software or Cisco IOS XE Software and the CoPP policy must be removed.	Cisco has released Snort Rule 46111.
#3 and #4: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities	There are no workarounds that address these vulnerabilities.	N/A

GENERAL SECURITY GUIDELINES

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
16-Apr-2018	1.0	Initial Release

KCS Status

Released

Critical

PN1021 | PN1021 | Stratix 8300 Denial of Service and Remote Code Execution Vulnerabilities

Published Date:

April 16, 2018

Last Updated:

April 16, 2018

CVE IDs:

CVE-2018-0174, CVE-2018-0171, CVE-2018-0167, CVE-2018-0175, CVE-2018-0173, CVE-2018-0172, CVE-2018-0155, CVE-2018-0156

Products:

Stratix 8300 L3 Modular Managed Switch

CVSS Scores:

8.8, 9.8, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 8300 Denial of Service and Remote Code Execution Vulnerabilities

Description

Version 1.0 - April 16, 2018

On March 28, 2018 Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included twenty security advisories detailing twenty-two vulnerabilities. Contained in these advisories are eight vulnerabilities that impact Allen-Bradley Stratix® and ArmorStratix™ products.

These discovered vulnerabilities are remotely exploitable and may allow threat actors impact the availability, confidentiality, and/or integrity of the vulnerable modules if successfully exploited. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

Allen-Bradley Stratix 8300 Industrial Managed Ethernet Switches, versions 15.2(4a)EA5 and earlier

VULNERABILITY DETAILS

Vulnerability #1: Smart Install Remote Code Execution
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786. A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

Triggering a reload of the device
Allowing the attacker to execute arbitrary code on the device
Causing an indefinite loop on the affected device that triggers a watchdog crash

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2.

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2018-0171 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vulnerability #2: Smart Install Denial of Service Vulnerability
A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted packet to an affected device on TCP port 4786.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi.

CVE-2018-0156 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Bidirectional Forwarding Detection Denial of Service Vulnerability
A vulnerability in the Bidirectional Forwarding Detection (BFD) offload implementation could allow an unauthenticated, remote attacker to cause a crash of the iosd process, causing a denial of service (DoS) condition.

The vulnerability is due to insufficient error handling when the BFD header in a BFD packet is incomplete. An attacker could exploit this vulnerability by sending a crafted BFD message to or across an affected switch. A successful exploit could allow the attacker to trigger a reload of the system.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-bfd.

CVE-2018-0155 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DHCP Version 4 Relay Denial of Service
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr3.

CVE-2018-0174 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability
A vulnerability in the DHCP option 82 encapsulation functionality of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of option 82 information that it receives in DHCP Version 4 (DHCPv4) packets from DHCP relay agents. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device. A successful exploit could allow the attacker to cause a heap overflow condition on the affected device, which will cause the device to reload and result in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr1.

CVE-2018-0172 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #6: DHCP Version 4 Relay Reply Denial of Service Vulnerability
A vulnerability in the Cisco IOS Software and Cisco IOS XE Software function that restores encapsulated option 82 information in DHCP Version 4 (DHCPv4) packets could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software performs incomplete input validation of encapsulated option 82 information that it receives in DHCPOFFER messages from DHCPv4 servers. An attacker could exploit this vulnerability by sending a crafted DHCPv4 packet to an affected device, which the device would then forward to a DHCPv4 server. When the affected software processes the option 82 information that is encapsulated in the response from the server, an error could occur. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-dhcpr2.

CVE-2018-0173 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities
Multiple vulnerabilities in the Link Layer Discovery Protocol (LLDP) subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges on an affected device.

Link Layer Discovery Protocol Buffer Overflow Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Link Layer Discovery Protocol Format String Vulnerability

A vulnerability in the LLDP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an adjacent, unauthenticated attacker to cause a DoS condition or execute arbitrary code with elevated privileges.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp.

CVE-2018-0167 and CVE-2018-0175 have been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned to these vulnerabilities; the CVSS v3 vector string is CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected versions of these Stratix products are encouraged to review and apply available mitigations to address the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

Cisco has offered the following information and mitigations for these vulnerabilities that are applicable.

Vulnerability	Workaround (if available)	Other Notes
#1: Smart Install Remote Code Execution Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46096 and Snort Rule 46097. See "Smart Install Notes" below for additional Smart Install information/recommendations.
#2: Smart Install Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 41725. See "Smart Install Notes" below for additional Smart Install information/recommendations.
#3: Bidirectional Forwarding Detection (BFD) Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Administrators who do not use the BFD feature in their environments can disable the BFD feature by using the feature bfd disable command in global configuration mode to prevent exploitation of this vulnerability. Administrators who do use the BFD feature can implement Control Plane Policing (CoPP) to allow processing of BFD packets from known BFD peers only and drop all other BFD traffic to limit exposure.
#4: DHCP Version 4 Relay Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46120.
#5: DHCP Version 4 Relay Heap Overflow Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46104.
#6: DHCP Version 4 Relay Reply Denial of Service Vulnerability	There are no workarounds that address this vulnerability.	Cisco has released Snort Rule 46119.
#7 and #8: Link Layer Discovery Protocol Buffer Overflow Vulnerabilities	There are no workarounds that address this vulnerability.	N/A

Smart Install Notes: For the Smart Install vulnerabilities (#1 and #2):

Smart Install is turned off by express setup, however upgraded switches but not re-setup may have it enabled.
Disable the Smart Install feature with the no vstack configuration command if it is not needed or once setup is complete.
Customers who do use the feature - and need to leave it enabled - can use ACLs to block incoming traffic on TCP port 4786.

GENERAL SECURITY GUIDELINES

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site (https://rok.auto/security).

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
16-Apr-2018	1.0	Initial Release

KCS Status

Released

High

PN1015 | PN1015 | MicroLogix Controller Vulnerabilities

Published Date:

March 28, 2018

Last Updated:

March 28, 2018

CVE IDs:

CVE-2017-12093, CVE-2017-14471, CVE-2017-14467, CVE-2017-14472, CVE-2017-14473, CVE-2017-14462, CVE-2017-14468, CVE-2017-14463, CVE-2017-14466, CVE-2017-12092, CVE-2017-12090, CVE-2017-14465, CVE-2017-14470, CVE-2017-12089, CVE-2017-14469, CVE-2017-12088, CVE-2017-14464

Products:

MicroLogix 1401

CVSS Scores:

3.7, 6.8, 6.3, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix Controller Vulnerabilities

Description

Version 1.0 - March 28, 2018

Jared Rittle and Patrick DeSantis of Cisco Talos, Cisco Systems, Inc.’s ("Cisco") security intelligence and research group contacted Rockwell Automation with a report detailing several vulnerabilities in the MicroLogix 1400™ controller family that, if successfully exploited, can have impacts ranging from Denial of Service to potential information disclosure.

Rockwell Automation has evaluated the contents of the researcher’s report and produced this disclosure, which provides details relating to these vulnerabilities and recommended countermeasures.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

Product	Catalog Numbers	Affected Versions
MicroLogix 1400	1766-Lxxx	FRN 21.003 and earlier
MicroLogix 1100	1763-Lxxx	FRN 16.00 and earlier

VULNERABILITY DETAILS

The report from Cisco Talos contained six potential vulnerabilities. Rockwell Automation evaluated all six reported issues and provided fixes and/or mitigations after confirming the first five vulnerabilities. The sixth reported issue is listed below, however, Rockwell Automation has determined that this feature works as intended. Additional details are provided below.

Vulnerability #1: Denial of Service via Ethernet Functionality
A remote, unauthenticated attacker could potentially send a specially crafted packet to the Ethernet port of an affected controller, which puts the device in a fault state, and potentially deleting ladder logic.

CVE-2017-12088 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #2: Denial of Service via Download Functionality
A remote, unauthenticated attacker could send a specially crafted packet to the controller during the standard download process. Without the proper packet to indicate download completion, the controller freezes in the download state for one minute before entering the fault state.

CVE-2017-12089 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.8/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #3: Denial of Service - SNMP-set request
A specially crafted SNMP-set request, when sent without associated SNMP-set commands for firmware flashing, can cause the device to power cycle resulting in downtime for the device. An attacker can send one packet to trigger this vulnerability.

CVE-2017-12090 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.3/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: Access Control Vulnerabilities
A remote, unauthenticated attacker could send a specially crafted packet to the affected device and utilize read or write operations that could result in several potential impacts, ranging from disclosure of sensitive information, modification of settings, or ladder logic modification.

Potential implications as a result of the vulnerability are listed below; each situation was reported to us by Cisco Talos and has been addressed by Rockwell Automation.

Item #	Summary of Situation	CVE-2017-XXXX
4a	Modification of Communication Protocols and Network Configuration	CVE-2017-14462
4b	Overwriting the PLC Ladder Logic	CVE-2017-14463
4c	Memory Module mismatch Fault	CVE-2017-14464
4d	Forcing PLC I/O	CVE-2017-14465
4e	Writing and Clearing Master Password (See **)	CVE-2017-14466
4f	Perform online edits to ladder logic	CVE-2017-14467
4g	Trigger the PLC to load program from Electrically Erasable Programmable Read-Only Memory (EEPROM)	CVE-2017-14468
4h	Setting an invalid value for the user fault routine	CVE-2017-14469
4i	Setting float elements to invalid values	CVE-2017-14470
4j	Setting fault bits in specific function files to cause a Denial of Service	CVE-2017-14471
4k	Reading Master Password (See **)	CVE-2017-14472
4l	Reading Master Ladder Logic	CVE-2017-14473

** Master Password not supported when using RSLogix 500 v11 and later with a MicroLogix 1400 controller flashed to FRN 21.002 or later.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 10/10 has been assigned overall. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Vulnerability #5: File-Write vulnerability in Memory Module
A memory module installed in a MicroLogix controller that allows a user to instruct the controller to write its program to the module without authentication. The memory module is a back-up, but can also be used to load programs once an error occurs, and has the ability to load the program every time the device powers on.

CVE-2017-12092 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 3.7/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Reported Issue #6: Malicious Register Session Packets lead to Communication Loss
The MicroLogix 1400 controller supports ten active sessions at a time. The issue describes a scenario where a malicious user sends their own Register Session packets in order create their own connection to the controller, preventing valid users from accessing the PLC. However, when there are ten existing connections to the controller and another Register Session packet is sent, the oldest connection will be disconnected. The user whose online session has been disconnected receives the normal communication loss alert, upon which they can choose to reconnect.

CVE-2017-12093 has been assigned to this vulnerability by Cisco Talos. While evaluating this issue as a potential vulnerability, Cisco Talos assigned a CVSS v3.0 score of 5.3/10. For details, please follow the link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

RISK MITIGATION and RECOMMENDED USER ACTIONS

Customers using the affected controllers are strongly encouraged to update to an available firmware revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Update the affected products per the table below:

Vulnerability	Product Family	Catalog Number	Hardware Series	Suggested Actions
#1: DoS via Ethernet Functionality	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.004 or later
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#2: DoS via Download Functionality	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#3: DoS via SNMP-set request	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 Programmable Controllers User Manual Publication 1766-UM001 for detailed instructions on enabling and disabling SNMP
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Vulnerability Not Applicable: MicroLogix 1100 does not support SNMP
#4a: Modification of Communication Protocol / Network Configuration	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#4b: Overwriting Large Ladder Logic	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4c: Memory Module Mismatch	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4d: Forcing PLC I/O	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#4e: Writing and Clearing Master Password	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.002 or later
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#4f: Perform online edits to ladder logic	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4g: Tigger PLC program load from EEPROM	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4h: Setting an invalid value to fault routine	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1400	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4i: Setting float elements to invalid values	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.004 or later
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#4j: Setting fault bits in function file causes DoS	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#4k: Reading Master Password	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.002 or later
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#4l: Reading Master Ladder Logic	MicroLogix 1400	1766-Lxxx	Series B or C	Apply FRN 21.004 or later, then set the keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Migrate to MicroLogix 1400 Series B or C See NOTE for migration information
#5: File-Write in Memory Module	MicroLogix 1400	1766-Lxxx	Series B or C	Set keyswitch to Hard Run to block any unauthorized changes Use FRN v21.xxx with RSLogix500 v11 for Enhanced Password Protection
	MicroLogix 1400	1766-Lxxx	Series A	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
	MicroLogix 1100	1763-Lxxx	All Series	Set keyswitch to Hard Run to block any unauthorized changes See NOTE for migration information
#6: Communications Loss	MicroLogix 1400	1766-Lxxx	Series B or C	Functions as intended
	MicroLogix 1400	1766-Lxxx	Series A	Functions as intended
	MicroLogix 1100	1763-Lxxx	All Series	Functions as intended

Note: In addition, customers using affected versions of MicroLogix 1100 or MicroLogix 1400 Series A are urged to contact their local distributor or Sales Office in order to upgrade their devices to a newer product line.

Cisco Talos has created the following Snort rules (SIDs): 44424, 44425, 44426, 44427, 44428, and 44429 to detect exploits utilizing these vulnerabilities, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are not in the standard curated rule sets and must be enabled manually.
If not using external communications, block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See 496391 - Blocking SNMP for more information on blocking access to SNMP services.

GENERAL SECURITY GUIDELINES

Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
28-Mar-2018	1.0	Initial Release

KCS Status

Released

High

PN1010 | PN1010 | MicroLogix 1400 Modbus TCP Buffer Overflow Denial of Service

Published Date:

December 22, 2017

Last Updated:

December 22, 2017

Products:

MicroLogix 1400

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1400 Modbus TCP Buffer Overflow Denial of Service

Description

Version 1.0 -December 22, 2017

Thiago Alves, from the Center for Cybersecurity Researcher and Education at the University of Alabama, Huntsville contacted Rockwell Automation with a report detailing a potential vulnerability in the MicroLogix™ controller family that, if successfully exploited, could cause the controller to become unresponsive to Modbus TCP communications, and could potentially cause the controller to fault. Rockwell Automation has determined that several versions of the MicroLogix™ 1400 controller are affected by this vulnerability.

MicroLogix™ is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture; Critical Infrastructure; as well as Water and Wastewater Systems.

Customers using affected versions of this device are encouraged to evaluate the details of the vulnerability below as it applies to their specific device implementation, as well as to implement any applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers, Series B and C
Versions 21.002 and earlier

This includes the following catalogs:

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

VULNERABILITY DETAILS

A remote, unauthenticated attacker could send especially crafted Modbus TCP packets to the affected device in order to exploit a buffer overflow condition. The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault.

Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 8.6/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

RISK MITIGATIONS and RECOMMENDED ACTIONS

Customers using affected versions of the MicroLogix™ 1400 PLCs are encouraged to update to the newest available firmware versions that address associated risks and include added improvements to further help harden the device and enhance its resilience against similar malicious attacks.

Update supported products based on this table:

Product Family

Catalog Numbers

Hardware Series

Suggested Actions

MicroLogix 1400

1766-L32AWA
1766-L32AWAA
1766-L32BWA
1766-L32BWAA
1766-L32BXB
1766-L32BXBA

Series B or C

- Apply FRN 21.003 (Downloads)

- Apply the any additional mitigations below.

All users, if applicable, may disable Modbus TCP support if it is not necessary for their MicroLogix™ 1400 implementation. Without Modbus TCP enabled, a potential attacker does not have access to exploit the device using this vulnerability.

GENERAL SECURITY GUIDELINES

Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to specific ports using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation® Products, see Knowledgebase Article ID 898270.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
22-Dec-2017	1.0	Initial Release

KCS Status

Released

High

PN1000 | PN1000 | FactoryTalk Alarms and Events Historian Denial of Service

Published Date:

December 07, 2017

Last Updated:

December 07, 2017

CVE IDs:

CVE-2017-14022

Products:

FactoryTalk Services Platform, FactoryTalk View SE, Logix Designer

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Alarms and Events Historian Denial of Service

Description

Version 1.1 - December 7, 2017
Version 1.0 - November 1, 2017

A vulnerability exists in FactoryTalk® Alarms and Events (FTAE) that, if successfully exploited, can cause a Denial of Service condition to the historian service within FTAE. FactoryTalk Alarms and Events is used to provide a common, consistent view of alarms and events through a FactoryTalk View SE HMI system and is used across several sectors, including without limitation: critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

FactoryTalk Alarms and Events v2.90 and earlier.

Factory Talk Alarms & Events is a component of the FactoryTalk Services platform. Customers using FTAE-based alarms in FactoryTalk View SE or Logix-based alarms in ControlLogix / CompactLogix processors will be impacted. FactoryTalk Alarms & Events is installed by several products:

FactoryTalk Services (RSLinx® Enterprise), all versions
FactoryTalk View SE, version 5.00 and later
Studio 5000 Logix Designer®, version 24 and later

Affected customers may consult the Risk Mitigation section of this advisory for information on how to address the issue.

VULNERABILITY DETAILS

An unauthenticated attacker with remote access to a network with FactoryTalk Alarms and Events can send a specially crafted set of packets to port TCP/403 (the history archiver service), causing the service to either stall or terminate.

The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation.

CVE-2017-14022 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.5/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected software are encouraged to update to an available revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below, and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.

Product Family

Version In Use

Suggested Actions

Factory Talk Alarms and Events

V2.90

- Implement the V2.90 patch (instructions)

- Disable TCP port 403. See item #2 below for details.

Factory Talk Alarms and Events

V2.81 and earlier

- Update to FTAE V2.90 from PCDC (instructions) then implement the V2.90 patch (instructions)

- Disable TCP port 403. See item #2 below for details.

FactoryTalk Alarm and Event history is logged using the Rockwell Alarm Historian service using port 403, and writes alarms and events to the user-configured SQL Server database. If the Rockwell Automation Alarm Historian service is on the same machine as the Rockwell Alarm Event service, then port 403 can be blocked remotely as the historical information is being logged to the local host rather than a remote host. Any other machine in the system that does not have the Rockwell Alarm Historian service on the same machine as the Rockwell Alarm Event service will require access to port 403.

Note: FactoryTalk View SE clients using the Alarm and Event Log Viewer to view FactoryTalk Alarm and Event history do not require port 403 and can thus be blocked.

GENERAL SECURITY GUIDELINES

Block all traffic to EtherNet/IP™ or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management (UTM) devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270
Use trusted software, software patches, and anti-virus/anti-malware programs, and interact only with trusted web sites and attachments.
Minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the enterprise network
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices they are installed in.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
07-December 2017	1.1	Updated with CVE #
01-November 2017	1.0	Initial Release

KCS Status

Released

Medium

PN1003 | PN1003 | Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper

Published Date:

November 06, 2017

Last Updated:

November 06, 2017

CVE IDs:

CVE-2017-13082

Products:

Stratix 5100 WAP/Workgroup Bridge

CVSS Scores:

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper

Description

Version 1.1 - November 6, 2017
Version 1.0 - October 23, 2017

On October 16, 2017, Mathy Vanhoef of the University of Leuven released a research paper detailing several vulnerabilities in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) protocols. Rockwell Automation, along with Cisco Systems, Inc. ("Cisco"), have determined that all versions of the Allen-Bradley® Stratix® 5100 Wireless Access Point/Workgroup Bridge ("Stratix 5100 WAP/WGB") are affected by one of these ten vulnerabilities when the device has been configured with a specific non-default configuration. This vulnerability can be exploited by a Key Reinstallation Attack (KRACK), in which a malicious actor tricks the victim into reinstalling a key that is already in-use. A successful attack may allow the attacker to operate as a "man-in-the-middle" between the device and the wireless network. This could then be leveraged to manipulate the data stream, remove TLS/SSL and/or grab credentials and confidential information in transmission.

The Stratix 5100 wireless access point provides an 802.11 compliant Wi-Fi implementation that wirelessly connects client devices to an Ethernet based network. The vulnerabilities are solely exploitable in close proximity to a device that is actively joining to a previously joined wireless network.

Customers using this device are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.

AFFECTED PRODUCTS

Stratix 5100 Wireless Access Point/ Workgroup Bridge
Version 15.3(3)JC1 and earlier

This includes the following catalogs:

1783-WAPAK9
1783-WAPBK9
1783-WAPCK9
1783-WAPEK9
1783-WAPNK9
1783-WAPTK9
1783-WAPZK9

VULNERABILITY DETAILS

Key Reinstallation Attacks ("KRACK") work against the four-way handshake of the WPA2 protocol. KRACK takes advantage of the retransmission of a handshake message to prompt the installation of the same encryption key every time it receives message 3 from the Access Point ("AP"). Retransmission of the handshake message from the AP occurs if a proper client acknowledgement is not received to the initial message; retransmission resets the nonce value and replay counter to their initial values. A malicious actor could force these nonce resets by replaying the appropriate handshake message, which could allow for injection and decryption of arbitrary packets, hijacking of TCP connections, injection of HTTP content, or replaying of unicast or multicast data frames on the targeted device.

CVE-2017-13082 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.9/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

The original public security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

The report by US-CERT is available at the following link: https://www.kb.cert.org/vuls/id/228519

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation recommends that all customers patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting your vendor to get the most updated patch that is compatible with your client devices. However, patching the client only protects the connection formed by that specific client. In order to protect all future clients that may be added to your system, Rockwell Automation recommends patching the Stratix 5100 WAP/WGB when the firmware is available.

UPDATE: NOVEMBER 6, 2017
After further investigation, Rockwell Automation has determined that since the vulnerability affects Stratix 5100 access points with 802.11r enabled, and 802.11r is not fully supported on the Stratix 5100 WAP/WGB, that access-point users are not affected by this vulnerability, and patching the Stratix 5100 WAP/WGB is not required when the device is operating as an access point. To verify that 802.11r is disabled in your device, please refer to this Knowledgebase Article ID 1068007. It is still suggested that users refer to manufacturers of their connected wireless client devices for suggested patch procedures.

Alternatively, a workaround exists for CVE-2017-13082. If you are using a Stratix 5100 in Access Point ("AP") mode (and not in Workgroup Bridge mode ("WGB") and you have enabled 802.11r fast roaming, it is recommended that the 802.11r fast roaming function should be disabled. In order to disable 802.11r, do one of the following:

Open the Command Line Interface (CLI) and issue the following commands with administrative privileges:

Command	Purpose
configure terminal	Enters Global Configuration Mode
interface Dot11Radio0	Enters Radio0 (2.4GHz) Configuration
no dot11 dot11r	Executes command to disable 802.11r
Interface Dot11Radio1	Enters Radio1 (5GHz) Configuration
no dot11 dot11r	Executes command to disable 802.11r
end	Exits to privileged EXEC mode
write	Writes configuration to Non-volatile memory

In the web interface, Navigate to the "Network" tab, select "Network Interface", then "Radio0-802.11n 2G.hz", "Settings", and verify the disable radio button next to "11r Configuration" is selected. Repeat these steps with "Radio0-802.11n 5G.hz"

NOTE: Disabling 802.11r could have a negative impact on the performance and availability of a customer’s system. Customers are encouraged to evaluate the impact to specific environments before performing this workaround

GENERAL SECURITY GUIDELINES

Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
06-Nov-2017	1.1	Update about affected feature.
23-Oct-2017	1.0	Initial release.

KCS Status

Released

Critical

PN962 | PN962 | Stratix CMP Remote Code Execution Vulnerability

Published Date:

November 02, 2017

Last Updated:

November 02, 2017

CVE IDs:

CVE-2017-3881

Products:

Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5410 Ind Distribution Switch, Stratix 5400 Industrial Ethernet Switch, ArmorStratix 5700 Managed Switch

CVSS Scores:

9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix CMP Remote Code Execution Vulnerability

Description

Version 1.1 - November 2, 2017
Version 1.0 - March 23, 2017

Cisco Systems, Inc. ("Cisco") has reported that a vulnerability exists in the Cisco Cluster Management Protocol ("CMP") processing code in the Cisco IOS and Cisco IOS XE software. Allen-Bradley® Stratix® and ArmorStratix™ products contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet and/or Distribution switches for real-time control and information sharing on a common network infrastructure.

This vulnerability is remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

Customers using affected versions of this product are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

All Versions 15.2(5)EA.fc4 and earlier

Allen-Bradley Stratix 5400 Industrial Ethernet Switches
Allen-Bradley Stratix 5410 Industrial Distribution Switches
Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4a)EA5 and earlier

Allen-Bradley Stratix 8300 Modular Managed Ethernet Switches

VULNERABILITY DETAILS

The Cluster Management Protocol uses Telnet to internally signal and send commands. A remote, unauthorized attacker could send malformed CMP-specific Telnet messages to try and establish a Telnet session with one of the affected products. Incorrect processing of these messages can cause the device to reload, or, in certain cases, allow the attacker to execute arbitrary code with elevated privileges on the device. If a customer has Telnet disabled, the attack vector is eliminated. Currently, no publicly available exploit code exists for this vulnerability.

The original product security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp

CVE-2017-3881 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

UPDATE: NOVEMBER 02, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Rockwell Automation recommends customers using affected products to consult the suggestions below and, when possible, employ multiple strategies to mitigate their risk.

Product Family	Catalog Numbers	Affected Version	Suggested Actions
Stratix 8300	1783-RMS	15.2(4)EA and earlier	- See Risk Mitigations below
Stratix 8000	1783-MS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5400	1783-HMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5410	1783-IMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5700	1783-BMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
ArmorStratix 5700	1783-ZMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below

Disabling the Telnet protocol as an allowed protocol for incoming connections on affected devices diminishes the network-based vector of attack. For information on how to disable Telnet via Command Line Interface, please see Knowledgebase Article ID 1040270.
If a customer is unable or unwilling to disable Telnet, then implementing infrastructure access control lists (iACLs) can reduce the attack service. For information on how to implement iACLs, please see Knowledgebase Article ID 1040270.
Cisco Talos, Cisco’s threat intelligence organization, has created two Snort rules (SIDs): 41909 and 41910 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.

GENERAL SECURITY GUIDELINES

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Utilize proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance, which comprises Intrusion Prevention and Detection (IDS/IPS) services, and Deep Packet Inspection (DPI) of the Common Industrial Protocol (CIP), Rockwell Automation can now offer customers an intrusion detection system to provide visibility, in real-time, if a vulnerability is being exploited. The Stratix 5950 contains a rules engine called FirePOWER which can process rules created by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged (IDS) or blocked (IPS).

For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https:rockwellautomation.custhelp.comapp/answers/detail/a_id/54102, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

Security Advisory Index, Knowledgebase Article ID 54102.
Industrial Firewalls within a CPwE Architecture White Paper: ENET-WP011B-EN-P
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide: ENET-TD002A-EN-P

REVISION HISTORY

Date	Version	Details
02-NOVEMBER-2017	1.1	Patched FW Release
24-MARCH-2017	1.0	Initial Release

KCS Status

Released

High

PN991 | PN991 | Stratix SNMP Packet Remote Code Execution Vulnerabilities

Published Date:

November 02, 2017

Last Updated:

November 02, 2017

CVE IDs:

CVE-2017-6741, CVE-2017-6744, CVE-2017-6743, CVE-2017-6740, CVE-2017-6738, CVE-2017-6737, CVE-2017-6742, CVE-2017-6739, CVE-2017-6736

Products:

Stratix 8300 L3 Modular Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5900 Services Router, Stratix 5410 Ind Distribution Switch

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix SNMP Packet Remote Code Execution Vulnerabilities

Description

Version 1.1 - November 2, 2017
Version 1.0 - July 27, 2017

Cisco Systems, Inc. ("Cisco") has reported that multiple vulnerabilities exist in the Simple Network Management Protocol ("SNMP") subsystem of Cisco IOS and IOS XE software that, if successfully exploited, can allow an authenticated, remote attacker to execute code on an affected device or cause an affected device to crash and reload. Allen-Bradley® Stratix® and ArmorStratix™ Industrial Ethernet switch products and the Stratix 5900 Services Router contain affected versions of the Cisco IOS and IOS XE software. The Stratix product line contains Industrial Ethernet switches for real-time control and information sharing on a common network infrastructure.

According to Cisco, these vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable devices, and potentially even allow an attacker to execute arbitrary code and obtain full control of the device.

UPDATE: NOVEMBER 2, 2017
Rockwell Automation has released a new version of firmware that addresses this vulnerability in several affected devices. Please see the table below for more details.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

For support on how to determine which version of Stratix firmware is on your device, please see Knowledgebase Article ID 55484.

All Versions 15.2(5)EA.fc4 and earlier
• Allen-Bradley Stratix 5400 Industrial Ethernet Switches
• Allen-Bradley Stratix 5410 Industrial Distribution Switches
• Allen-Bradley Stratix 5700 and ArmorStratix™ 5700 Industrial Managed Ethernet Switches
• Allen-Bradley Stratix 8000 Modular Managed Ethernet Switches

All Versions 15.2(4)EA and earlier
• Stratix 8300 Modular Managed Ethernet Switches

All Versions 15.6(3)M1 and earlier
• Allen-Bradley Stratix 5900 Services Router

VULNERABILITY DETAILS

Multiple vulnerabilities exist in the SNMP subsystem of Cisco IOS and IOS XE software that could allow an authenticated, remote attacker to execute code on an affected system or cause an affected system to reload by sending a crafted SNMP packet to an affected system via IPv4 or IPv6.

The vulnerabilities affect all versions of SNMP. To exploit these vulnerabilities via SNMP version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities in SNMP version 3, the attacker must authenticate their identity with user credentials for the affected system.

CVE ID #	Headline linked to Cisco Advisory	CVSS v3 Score and Vector String for a better understanding of how this score was generated, please follow the link to first.org
CVE-2017-6736	SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software	8.8/10 (High) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2017-6737
CVE-2017-6738
CVE-2017-6739
CVE-2017-6740
CVE-2017-6741
CVE-2017-6742
CVE-2017-6743
CVE-2017-6744

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation will update this advisory as new versions of firmware are released that remediate this vulnerability. Until then, Rockwell Automation recommends that customers using affected products consult the suggestions below and employ multiple strategies to mitigate their risk when possible.

Product Family	Catalog Numbers	Affected Versions	Suggested Actions
Stratix 8300	1783-RMS	15.2(4)EA and earlier	- Update to v15.2(4a)EA5 or later (Download)
Stratix 5900	1783-SRKIT	V15.6.3 and earlier	- See Risk Mitigations below
Stratix 8000	1783-MS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5400	1783-HMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5410	1783-IMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
Stratix 5700	1783-BMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below
ArmorStratix 5700	1783-ZMS	15.2(5)EA.fc4 and earlier	- Update to 15.2(6)E0a or later (Download) - In addition, see Risk Mitigations below

Disable the following Management Information Bases (MIBs) on a device, if they are installed/active on your Stratix device:
Stratix 8000, 8300, 5700, 5400, 5410
CISCO-MAC-AUTH-BYPASS-MIB
Stratix 5900
ADSL-LINE-MIB
CISCO-ADSL-DMT-LINE-MIB
CISCO-BSTUN-MIB
CISCO-MAC-AUTH-BYPASS-MIB
CISCO-VOICE-DNIS-MIB

Details on how to use the Command Line Interface to disable or limit access to SNMP or individual MIBs can be found at Knowledgebase Article ID 1055391.
Note: Your Stratix device may not have all of the MIBs installed/active.
If SNMP is required, use strong SNMP v3 credentials since this attack requires authentication.
Cisco Talos, Cisco’s threat intelligence organization, has created the following Snort rules (SIDs): 43424, 43425, 43426, 43427, 43428, 43429, 43430, 43431, 43432 to detect exploits utilizing this vulnerability, which can be used on Stratix 5950 Security Appliances positioned appropriately within your network architecture to provide enhanced visibility. The Snort rules (SIDs) are enabled following curated rule sets - "Balanced Security and Connectivity", "Connectivity over Security, and "Secure over connectivity.
Use proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. Firewalls will not block requests from compromised, but authorized sources.

GENERAL SECURITY GUIDELINES

If available, use product-specific features, such as a keyswitch setting, to block unauthorized changes, etc. Consult the product documentation for the availability and usage of these features.
Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the enterprise network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
02-Nov-2017	1.1	Updated Firmware Available
27-Jul-2017	1.0	Initial Release

KCS Status

Released

High

PN958 | PN958 | FactoryTalk Activation Unquoted Service Path Privilege Escalation

Published Date:

August 24, 2017

Last Updated:

August 24, 2017

Products:

FactoryTalk Activation

CVSS Scores:

8.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Activation Unquoted Service Path Privilege Escalation

Description

Version 1.2 - August 24, 2017
Version 1.1 - March 21, 2017
Version 1.0 - February 16, 2017

Update: March 21, 2017
A complete list of the software products that distribute versions of FactoryTalk® Activation Manager has been identified and listed under the affected products below. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet.

In those instances where customers using one of the listed software products are unable to update to the latest version of FactoryTalk Activation, please refer to the KnowledgeBase Article ID 939382 to verify and patch any unquoted service paths in a specific system.

An unquoted service path privilege escalation vulnerability is a known and documented vulnerability that affects all versions of Windows that support spaces in file path names. Certain versions of FactoryTalk® Activation Manager are susceptible to this vulnerability. FactoryTalk Activation is a component of the FactoryTalk Services Platform that enables customers to activate and manage Rockwell Automation software products via activation files that are downloaded from the Internet. This vulnerability can be exploited to link to, or run, a malicious executable of the attacker’s choosing.

Rockwell Automation has provided a software update containing the remediation for this vulnerability. Rockwell Automation has also provided a series of steps to allow customers to mitigate this vulnerability in previously downloaded versions. Further details about this vulnerability, as well as recommended countermeasures, are contained below.

AFFECTED PRODUCTS
FactoryTalk Activation Service v4.00.02 and earlier

Update: March 21, 2017
The following products require FactoryTalk Activation Manager to store and keep track of Rockwell Automation software products and activation files. All versions prior to, and including, v4.00.02 of the FactoryTalk Activation Service are affected. In other words, customers who recognize products from the following list are using FactoryTalk Activation Manager, and they may consult the Risk Mitigation section of this advisory for information on how to verify that their systems are affected and how to manually address this vulnerability.

Arena®
Emonitor®
FactoryTalk® AssetCentre
FactoryTalk® Batch
FactoryTalk® EnergyMetrix™
FactoryTalk® eProcedure®
FactoryTalk® Gateway
FactoryTalk® Historian Site Edition (SE)
FactoryTalk® Historian Classic
FactoryTalk® Information Server
FactoryTalk® Metrics
FactoryTalk® Transaction Manager
FactoryTalk® VantagePoint®
FactoryTalk® View Machine Edition (ME)
FactoryTalk® View Site Edition (SE)
FactoryTalk® ViewPoint
RSFieldBus™
RSLinx® Classic
RSLogix 500®
RSLogix 5000®
RSLogix™ 5
RSLogix™ Emulate 5000
RSNetWorx™
RSView®32
SoftLogix™ 5800
Studio 5000 Architect®
Studio 5000 Logix Designer®
Studio 5000 View Designer®
Studio 5000® Logix Emulate™

VULNERABILITY DETAILS

Successful exploitation of this vulnerability could potentially allow an authorized, but non-privileged, local user to execute arbitrary code with elevated privileges on the system. A well-defined service path enables Windows to easily find the path to a service; this is accomplished by containing the path within quotation marks. Without quotation marks, any whitespace in the file path remains ambiguous, and an attacker could drop a malicious executable if the service path is discovered.

This vulnerability allows an authorized individual with access to a file system to possibly escalate privileges by inserting arbitrary code into the unquoted service path. When the Windows Service Manager starts the service, it will attempt to launch the implanted executable rather than the intended and authentic executable.

A CVSS v3 base score of 8.8 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

Rockwell Automation recommends upgrading to the latest version of FactoryTalk Activation. To download v4.01 or later, go to this link for PCDC (Product Compatibility & Download Center) and select "Select Files" icon for all Free Downloads. Select latest FactoryTalk Activation from the list of downloads.

Update: August 24, 2017
Customers can consult the Product Compatibility and Download Center Standard Views>Software Latest Versions>FactoryTalk Activation for details about the latest FactoryTalk Activation Manager.

Note: When centralizing FactoryTalk Activation Manager (FTAM) to a single server host, it is important to ensure that the centralized Activation server is running a version of FactoryTalk Activation Manager equal to, or greater than, the latest version of client FTAM on your network. It is important to update the central activation servers before client activation servers. For details visit Knowledgebase Article 612825 Managing Remote FactoryTalk Activation Manager Servers.

If unable to upgrade to the latest version visit KnowledgeBase Article ID 939382, which describes how to identify whether or not your service path contains spaces (i.e. is vulnerable); how to manually address this vulnerability through a registry edit; and walks through the process of doing such edits.

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below, are recommended. When possible, multiple strategies should be employed simultaneously.

Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in Knowledgebase Article ID 546987.
Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

Product Security Vulnerability FAQ

REVISION HISTORY

Date	Version	Details
16-FEB-2017	1.0	Initial release
21-MAR-2017	1.1	FTA Concurrent Distribution List
24-AUG-2017	1.2	Compatibility Information

KCS Status

Released

PN1493 | PN1493 | Rockwell Automation Recommended Mitigations for the “Petya” Malware

Published Date:

June 30, 2017

Last Updated:

June 30, 2017

Products:

Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, PanelView Plus 6 Compact, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, 6186M Performance Monitor, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, 6176M Standard Monitor, Business Objects, 2711T MobileView Tethered, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, PanelView 800, DataDisc, RSLogix 5, Operator Certification, Live Transfer, MaterialTrack, ThinManager, 2711T MobileView Accessories, 6181 Computers, 1450R Non-Display Computers, ControlView, Advisor, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, 2711P PanelView Plus 7 Performance, Installation, RSLogix Emulate 500, Knowledge Documentation, PBase, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, PID Logistics 500, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, RSPowerTools, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, PanelView Component, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, ERP Integration Gateway, General Computer, PLC2A and T3, Activities, ETL, Historical Transfer, ECO, Documentation, RSWorkbench, RSTestStand, RS PMX CTM, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, Logix Designer, DataSite Workbench, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, 2711P PanelView Plus 6 Logic Modules, Administration, 6155 Compact Computers, Production Execution Client, PanelView 5000, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, Integrated Architecture Builder (IAB), 6181X Hazardous Integrated Display, PMX, WINtelligent HMI, 6200-5/250, eProcedure, RSView - 16 Bit, RSChart, ActiveX Control, FactoryTalk Metrics, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, 2711P PanelView Plus 7 Standard, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), Reports (Out-of-box), PlantMetrics, PCO Software (6723), API, FactoryTalk Batch, AI-100/150, FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, WINtelligent Trend, Process Designer, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, 2711P PanelView Plus 6 400-1500, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

Version 1.1 - June 29, 2017

Revision History

Date	Version	Details
29-Jun-2017	1.1	Title update
28-Jun-2017	1.0	Initial release
30-Jun-2017	1.2	Clarified port information with respect to FT Software products

Introduction

On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. NotPetya is a Petya-inspired malware variant and behaves in a manner similar to how the “WannaCry” malware that surfaced in May 2017 did, specifically in that it is a self-propagating "worm" that infects any vulnerable host that has not patched the Windows SMBv1 vulnerability. Microsoft patched this vulnerability, named “MS17-010,” in March 2017.

However, it is worth noting that this malware has some key differences from WannaCry, including how it propagates to other machines and how it attacks the victim’s PC.

As of this writing, there is no known direct impact to Rockwell Automation products from this malware, though all files present on a machine (including files used by Rockwell Automation products) may be encrypted in the event of a successful attack. However, customers who use Rockwell Automation software products may be vulnerable to this attack since most of the Rockwell Automation software products run on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows may be vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft’s MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

Windows XP
Windows 7
Windows 8
Windows 10
Windows Server 2003
Windows Server 2008 R1/R2
Windows Server 2012
Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

Note: At the time of this writing, and according to Microsoft, no versions of Windows CE are affected.

Vulnerability Details

This malware is similar in many ways to the WannaCry malware that surfaced in May 2017, but it also includes different methods for the encryption of files and propagation across the network to infect new machines. Reports suggest that if the Petya malware has administrative privileges, it does not encrypt files individually through a whitelist approach, but instead will encrypt the entire filesystem, rendering the machine completely in-accessible. Industrial control system (“ICS”) specific files, which may not have been specifically included in past whitelists, will now also be encrypted along with any other file on the filesystem.

The initial Petya infection comes from opening an infected file, attached to an email. Once a machine on a victim’s network is infected, Petya utilizes multiple mechanisms to propagate through the victim’s network without any type of user interaction, such as is common with the following social engineering-based attacks:

-     EternalBlue, the same SMB exploit which allowed WannaCry to propagate.
-     Microsoft Windows Management Instrumentation (WMI), using the user’s credentials.
-     Microsoft PSexec tool, using the user’s credentials.

Risk Mitigation & User Action

The risk from EternalBlue can be mitigated by applying updates from MS17-010. The other two attack vectors can be mitigated through blocking ports utilized by those protocols.

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the potential risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

The Rockwell Automation Microsoft Patch Qualification team has qualified versions of our products on Windows 7 and Windows Server 2008 R2 with MS17-010 installed. For detailed information on versions tested, visit the Rockwell Automation Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

For any supported operating systems, use the “Windows Update” feature to download and apply updates
For unsupported operating systems, download English language security updates directly, these patches could be loaded onto existing Windows Server Update Services (WSUS) servers to ease large-scale deployments:
o Windows Server 2003 SP2 x64
o Windows Server 2003 SP2 x86
o Windows XP SP2 x64
o Windows XP SP3 x86
o Windows XP Embedded SP3 x86
o Windows 8 x86
o Windows 8 x64
For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
o Note: This may prevent file shares from working in some instances.
If possible, restrict SMB and WMI traffic from untrusted enterprise networks (with internet connectivity) outside the IDMZ.
o SMB and WMI utilize ports TCP/135, TCP/139, TCP/445, and TCP/1024-1035.
o Note: Some FactoryTalk software products require port TCP/135 in order to function properly. Consult Knowledgebase Article 898270 for information on port usage by Rockwell Automation products.
Establish and execute a proper backup and disaster recovery plan for your organization's assets.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

However, the Rockwell Automation Microsoft Patch Qualification team has NOT qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End of Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
Use of Microsoft AppLocker® or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Run all software as User, not as Administrator.
Use trusted software and software patches that are obtained only from highly reputable sources.
Employ training and awareness programs to educate users on the warning signs of
a phishing or social engineering attack.
Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (“VPNs”), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Attachments

Migration Attachment

2017-06 Petya Ransomware.docx

PN1492 | PN1492 | Rockwell Automation Recommended Mitigations For “WannaCry” Ransomware

Published Date:

May 18, 2017

Last Updated:

May 18, 2017

Products:

Third Party, Compliance / Audit Trail / Security, 6181X Hazardous Non-Display, RSBizWare Machine Performance, PLC5/250, ControlPak General, RSWire, ProcessPak, Historian Classic, Security Server, Integration Manager, 6200-PLC3, RSLogix Frameworks, SOS, RSLogix 500, AI-5, dsShopLib, Arena, Foundation Server, Shop Operations, RSLibrary Builder, RSBizWare Coordinator, Reporting (form based), AI-Micro, RSView32 WebServer, AI-3, Database, FactoryTalk ViewPoint, RSData OCX, SPC, Admin Tools, RSView32 SPC, FactoryTalk VantagePoint, App Solutions Documentation, Business Objects, Migration, Master Disk Copy Protection, Studio 5000 View Designer, RSGuardian, RSBizWare Tracker, 650R Non-Display Computers, RSToolPak II, Raise Software, 750R Non-Display Computers, FactoryTalk View SE, Reporting, Interface Manager, DataDisc, MaterialTrack, RSLogix 5, Operator Certification, Live Transfer, ThinManager, 6181 Computers, 1450R Non-Display Computers, Advisor, ControlView, Printing, RSLogix Emulate 5000 / Studio 5000 Logix Emulate, LiveData, Agile, Installation, RSLogix Emulate 500, PBase, Knowledge Documentation, RSLogix Emulate 5, RSPower, Entek, Build Utility, Shop Operation, Foundation Client, AI-5/250, AI-500, NCR/CAR/IQA, WINtelligent Recipe, RSView32, 6200-PLC5, FactoryTalk Activation, Purge, FactoryTalk Historian SE, RSEnterprise Controls, WINtelligent Logic 5, WSIntegrate, RSPowerTools, SoftLogix5800, FactoryTalk VantagePoint EMI, RSMACC, PID Logistics 500, RSView32 Messenger, FactoryTalk Linx Gateway, Supplier Manager, RSView32 Active Display, Maintenance Releases, Connected Components Workbench, 100/150 PCD, ComplianceTrack, RSTools, Portlets, RSBizWare Scheduler, PID Logistics 5, WINtelligent Quality, AI-2, GEMS, Documentation, PLC2A and T3, General Computer, Activities, ETL, Historical Transfer, ECO, ERP Integration Gateway, RS PMX CTM, RSTestStand, RSWorkbench, 6180 Computers with Keypad, RSBizWare Line Performance, Production Management Client, RSLadder, RMA, Data, Thin Client, DataSite Workbench, Logix Designer, FactoryTalk Integrator, AI Emulate 500, RSPower32, Legacy, AI Emulate 5, Administration, 6155 Compact Computers, Production Execution Client, 1757 ProcessLogix, WINtelligent View, Installation, JD Edwards, Dashboard, 6181X Hazardous Integrated Display, Integrated Architecture Builder (IAB), WINtelligent HMI, PMX, 6200-5/250, eProcedure, RSView - 16 Bit, ActiveX Control, FactoryTalk Metrics, RSChart, TrendX, Universe Manager, Authentication, FactoryTalk AssetCentre, RSTrend, Knowledge Installation, Sampling Plans, General, RSSidewinderX, Configuration Tool, FactoryTalk Transaction Manager, Consumer Packaged Goods Suite, Studio 5000 Application Code Manager (ACM), AI-100/150, PlantMetrics, API, FactoryTalk Batch, PCO Software (6723), Reports (Out-of-box), FactoryTalk EnergyMetrix, FactoryTalk View ME, SoftLogix5, FactoryTalk Analytics for Machines, Legacy, Process Designer, WINtelligent Trend, RSPocketLogix, Reports (Custom), Other, 6200-PLC2, Automotive Suite , RSMailman, Quality Assurance (6.x), ICAPA, RSLogix Architect / Studio 5000 Architect, Equipment Manager, GUI, FactoryTalk Analytics for Devices, PlantPAx, CtrlContainer, Complaint Handling, RSToolPak I, Server Configuration, Pavilion, RSData VBX, FactoryTalk Services Platform

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Version 1.1 - May 18, 2017

Introduction

On May 10, 2017, a new ransomware attack called "WannaCry" (also known as "WannaCrypt"), began affecting Microsoft Windows personal computers ("PCs") around the world. The ransomware is a self-propagating "worm" that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named "MS17-010", which is included in the monthly Microsoft roll-ups: "MS17-006".

Unlike previous ransomware variants that require social engineering ("phishing"), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.

As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically, the user must pay a ransom (in some form of untraceable currency), and must do so before the deadline expires and the decryption key is destroyed.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft's MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

Windows XP
Windows 7
Windows 8
Windows 10
Windows Server 2003
Windows Server 2008 R1/R2
Windows Server 2012
Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

At the time of this writing, and according to Microsoft, no versions of Windows CE are affected by these vulnerabilities."

Vulnerability Details

According to Microsoft's MS17-010 Security Bulletin:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Risk Mitigation & User Action

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 8.1, Windows 7 SP1, and Windows Server 2008 R2 SP1. For detailed information on versions tested, visit the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

1.) For any supported operating systems, utilize the "Windows Update" feature to download and apply updates.

2.) For unsupported operating systems, download English language security updates directly:

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86

Windows 8 x64

3.) For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

4.) Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Note: This will prevent file shares from working in some instances.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

1.) Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.

2.) Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

3.) Run all software as User, not as Administrator.

4.) Use trusted software and software patches that are obtained only from highly reputable sources.

5.) Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

6.) Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.

7.) Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

8.) When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Attachments

File

KB1047348_Recomendações da Rockwell Automation para mitigação do ransomware WannaCry.pdf

Critical

PN946 | PN946 | Stratix® Denial of Service Vulnerabilities

Published Date:

April 26, 2017

Last Updated:

April 26, 2017

CVE IDs:

CVE-2016-6380, CVE-2016-6385, CVE-2016-6382, CVE-2016-6393

Products:

ArmorStratix 5700 Managed Switch, Stratix 8000 Modular Managed Switch, Stratix 5700 Managed Switch, Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

9.9, 8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix® Denial of Service Vulnerabilities

Description

Version 1.1 - April 26, 2017

UPDATE: April 26, 2017 - Further investigation has confirmed that the Stratix 8300® platform is also affected by these vulnerabilities. Stratix 8300 is a family of modular managed Ethernet switches. Affected versions of Stratix 8300, including mitigations to deploy for affected customers, are provided below.

On September 28, 2016, Cisco released its semi-annual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which included ten security advisories detailing eleven vulnerabilities. Contained in these ten advisories are five vulnerabilities that impact the following Allen-Bradley Stratix® and ArmorStratix™ products:

26-APR-2017 Update: Allen-Bradley® Stratix 8300® Modular Managed Ethernet Switches
Allen-Bradley® Stratix 5400® Industrial Ethernet Switches
Allen-Bradley® Stratix 5410® Industrial Distribution Switches
Allen-Bradley® Stratix 5700® Industrial Managed Ethernet Switches
Allen-Bradley® Stratix 8000® Modular Managed Ethernet Switches
Allen-Bradley® ArmorStratix™ 5700 Industrial Managed Ethernet Switches for extreme environments

These discovered vulnerabilities are remotely exploitable and can allow attackers to affect the availability of the vulnerable modules if an attack is successful. Other attacks exploiting these various vulnerabilities can result in memory exhaustion, module restart, information corruption, and information exposure.

Customers using affected versions of this software are encouraged to review the available mitigation information on updating to the latest software versions that contain remediation. Additional vulnerability-related details, including affected products and recommended mitigations, are provided below.

AFFECTED PRODUCTS

26-APR-2017 Update: Stratix 8300
Version 15.2(4)EA and earlier
Stratix 5400, Stratix 5410, Stratix 5700, Stratix 8000, ArmorStratix 5700
Version 15.2(4)EA3 and earlier

Updates for all affected products are now available, and linked in the table provided. Stratix product firmware versions not listed above are not affected by these vulnerabilities.

VULNERABILITY DETAILS

Vulnerability #1: AAA Authentication Fail Denial of Service
A vulnerability in the Authentication, Authorization, and Accounting (AAA) service for remote Secure Shell Host (SSH) connections to the device could allow an unauthenticated, remote attacker to cause the vulnerable device to reload.

This vulnerability is a result of an error log message that is shown when a remote SSH connection to the device fails AAA authentication. Upon failure, the remote SSH attacker receives the previously configured banner which can be used to authenticate the targeted device. A successful attack could result in a Denial of Service (DoS) condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados

A Common Vulnerabilities and Exposures ("CVE") ID has been assigned to this vulnerability:
CVE-2016-6393 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerabilities #2 and #3: Software Multicast Routing Denial of Service Vulnerabilities
Two vulnerabilities were discovered in the multicast subsystem of Cisco’s IOS and IOS XE Software, allowing for unauthenticated, remote attackers to create a DoS condition.

The first vulnerability is in the Multicast Source Discovery Protocol (MDSP) that could allow an unauthenticated, remote attacker to cause the affected device to reload. This vulnerability is due to insufficient checking of MSDP Source-Active (SA) messages received from a configured MSDP peer. If an attacker can send traffic to the Internet Protocol version 4 ("IPv4") address of an affected device, a maliciously-crafted packet would trigger the issue. A successful exploit could cause the affected device to restart.

The second vulnerability is due to insufficient checking of packets encapsulated in a Protocol Independent Multicast (PIM) register message. An attacker who is able to send Internet Protocol version 6 ("IPv6") register packets can create a malformed packet to send to a PIM rendezvous point in order to exploit this vulnerability. A successful exploit could cause the affected device to restart.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp

CVE-2016-6382 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Vulnerability #4: DNS Forwarder Denial of Service and Information Corruption
A vulnerability exists in the Domain Name System ("DNS") forwarder functionality in the software that could allow an unauthenticated, remote attacker to cause the device to restart or corrupt the information existing in the device’s local DNS cache, or read part of the process memory.

The vulnerability is due to a flaw in handling crafted DNS response messages. An attacker could utilize this vulnerability by intercepting and crafting a DNS response message to a client DNS query that was forwarded from the affected device to a DNS server. A successful attack could cause the device to reload, which is a DoS, or corrupt the information on the local DNS cache.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns

CVE-2016-6380 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H.

Vulnerability #5: Software Smart Install Memory Leak Denial of Service
A vulnerability in the Smart Install client feature could allow an unauthenticated, remote attacker to cause a memory leak and an eventual DoS condition on the affected device.

This vulnerability is due to incorrect handling of image list parameters. To exploit this vulnerability, an attacker could send crafted Smart Install packets to Transmission Control Protocol ("TCP") port 4786. A successful attack could cause the switch to leak memory and eventually reload, resulting in a DoS condition.

Cisco’s product security disclosure for their Cisco IOS and IOS XE Software is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-smi

CVE-2016-6385 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned to this vulnerability; the CVSS v3 vector string is AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H.

Currently, there is no publicly available exploit code relating to any of these vulnerabilities.

RISK MITIGATIONS

Customers using affected versions of these Stratix products are encouraged to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies specific to these types of attacks are similarly recommended, like those listed below. When possible, multiple strategies should be implemented simultaneously.

Update the affected products per the table below:

Product Family	Affected Versions	Updates Available
Stratix 5400 Industrial Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
Stratix 5410 Industrial Distribution Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
Stratix 5700 Industrial Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
Stratix 8000 Modular Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
ArmorStratix 5700 Industrial Managed Ethernet Switches	15.2(4)EA3 and earlier	Apply FRN 15.2(5)EA.fc4 or later (Download)
28-APR-2017 Update: Stratix 8300 Module Managed Ethernet Switches	All Prior to 15.2(4a)EA5	Apply FRN 15.2(4a) EA5 or later (Download)

Cisco has offered workarounds for those vulnerabilities that are applicable. Where possible these can be applied alongside the upgrade in software version (above) to further mitigate risk of exposure.

Vulnerability	Workaround (if available)	Other Notes
#1: AAA Authentication DoS	The AAA Failed-Login Banner can be removed via the command no aaa authentication fail-message.	AAA Failed-Login Banner needs to be configured and SSH used for a remote connection to the device in order to exploit the vulnerability. To check if AAA is configured, use the show running-config include aaa command to check the AAA configuration and verify that it returns output.
#2 and #3: Multicast Routing DoS	There are no workarounds for either vulnerability	N/A
#4: DNS Forwarder DoS and Info Corruption	There are no workarounds that address this vulnerability.	N/A
#5: Software Smart Install Memory Leak	There are no workarounds other than disabling the Smart Install feature. This can be done on some versions of firmware with the "no vstack" global configuration command.	To determine whether a device is configured with the Smart Install client feature, use the command show vstack config. If the output is Role: Client, then this confirms that the feature is enabled on the device.

Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked.
Use trusted software, software patches, antivirus/anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on Rockwell Automation’s Vulnerability Management process, please refer to our FAQs document: http://literature.rockwellautomation.com/idc/groups/literature/documents/lm/secur-lm003_-en-p.pdf.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on the Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory using the Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
OCT-2016	1.0	Initial release.
28-APR-2017	1.1	Update to include Stratix 8300 and mitigations

KCS Status

Released

Critical

PN967 | PN967 | MicroLogix Controller v21 Security Updates

Published Date:

April 25, 2017

Last Updated:

April 25, 2017

CVE IDs:

CVE-2017-7902, CVE-2017-7901, CVE-2017-7899, CVE-2017-7898, CVE-2017-7903

Products:

MicroLogix Controller

CVSS Scores:

5.4, 8.1, 3.1, 9.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix Controller v21 Security Updates

Description

Version 1.0 - April 25, 2017

Multiple vulnerabilities exist in certain MicroLogix™ 1100 and 1400 controllers that, if successfully exploited, can allow unauthorized access to the web server, tamper with firmware, or cause a Denial of Service. MicroLogix is a family of Programmable Logic Controllers (PLCs) used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS

MicroLogix 1400 Controllers, Series A and B

1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA
Version 16.00 and earlier.

MicroLogix 1100, Series A and B

1763-L16BWA, 1763-L16AWA, 1763-L16BBB, 1763-L16DWD
Version 16.00 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Weak Password Resolution

MicroLogix products use a numeric password that has a small number of maximum characters, making it easier for a user to guess the password. There is no penalty for incorrect passwords, so the attack can be repeated until the victim’s password is identified. Once a controller password is identified, the attacker is able to communicate with the controller and make disruptive changes.

A CVSS v3 base score of 9.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2017-7898 and CVE-2017-7903 have been assigned to this vulnerability.

Vulnerability #2: Firmware Tampering

Series C versions of MicroLogix 1400 firmware (FRN 21.00 and later) are digitally signed, whereas Series A and B are NOT digitally signed. When a new version of firmware is uploaded to the Series C product, the update will only proceed if the firmware’s digital signature is determined to be authentic.

A CVSS v3 base score of 8.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability #3: TCP Sequence Prediction Attack

An unauthorized, remote attacker has the potential to send counterfeit packets to a target host by predicting the TCP initial sequence numbers. The attacker may spoof or disrupt TCP connections that could potentially cause a Denial of Service to the target.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L

CVE-2017-7901 has been assigned to this vulnerability.

Vulnerability #4: Improper Nonce Usage

A vulnerability exists in the HTTP Digest Authentication implementation that could allow an unauthorized, remote attacker to observe a valid HTTP request and replay that request back to the server. The attacker needs to observe an actual HTTP request that they wish to replay back to the server. The impact to this attack is limited to the functions that the web server has exposed.

A CVSS v3 base score of 5.4/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CVE-2017-7902 has been assigned to this vulnerability.

Vulnerability #5: User Credentials Sent via GET method

Ilya Karpov reported to Rockwell Automation that form values, including user credentials, are sent to the web server via an HTTP GET method, which may also log the credentials in network monitoring tools. An attacker with access to these logs could potentially harvest these passwords, which may further allow the attacker access to the webserver, or other systems that share the same user credentials.

A CVSS v3 base score of 3.1/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

CVE-2017-7899 has been assigned to this vulnerability.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using affected products are encouraged to update to the latest firmware version that addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Customers who are unable to update their software are directed towards risk mitigation strategies provided in this document below. Where feasible, additional precautions and risk mitigation strategies, like those listed below, are similarly recommended. Employ multiple strategies when possible.

Product Family	Catalog Numbers	Vulnerabilities Remediated	Suggested Actions
MicroLogix 1400, Series C	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	All Vulnerabilities	-If possible, it is recommended to upgrade to Series C, FRN 21 or later which utilizes digitally signed firmware. If unable to upgrade to Series C, it is recommended to combine updating to FRN 21 for Series B along with other risk mitigations described below.
MicroLogix 1400, Series B	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series B, FRN 21.00: Vulnerabilities 1, 3, 4, 5	-Apply FRN 21 or later for Series B, and combine with other risk mitigations (Downloads) -Disable the web server. See Item #1 below for details -Apply the additional mitigations below
MicroLogix 1400, Series A	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	None	-Disable the web server. See item #1 below for details -Apply the additional mitigations below
MicroLogix 1100	1763-L16BWA 1763-L16AWA 1763-L16BBB 1763-L16DWD	None	-Disable the web server. See item #1 below for details -Apply the additional mitigations below

Disable the web server on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
Set the mode to RUN via LCD soft keyswitch to prohibit any re-enabling of the web server while the keyswitch is in this mode. This also protects against unauthorized firmware upgrades.

GENERAL SECURITY GUIDELINES

Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

REVISION HISTORY

Date	Version	Details
25-April-2017	1.0	Initial release.

KCS Status

Released

PN965 | PN965 | Stratix 5900 Security Updates

Published Date:

April 04, 2017

Last Updated:

April 04, 2017

CVE IDs:

CVE-2015-1787, CVE-2014-0195, CVE-2014-2109, CVE-2014-3566, CVE-2016-1344, CVE-2015-7702, CVE-2015-7871, CVE-2014-2106, CVE-2015-0207, CVE-2016-6393, CVE-2014-3360, CVE-2014-2112, CVE-2016-6380, CVE-2015-7691, CVE-2015-7692, CVE-2015-7849, CVE-2015-0290, CVE-2014-0224, CVE-2015-7701, CVE-2014-3470, CVE-2014-2113, CVE-2014-2108, CVE-2015-7704, CVE-2016-6415, CVE-2014-2111, CVE-2015-0642, CVE-2015-1798, CVE-2014-0221, CVE-2015-0292, CVE-2015-0293, CVE-2015-7854, CVE-2014-0076, CVE-2015-0646, CVE-2014-3361, CVE-2016-6381, CVE-2016-1409, CVE-2015-7855, CVE-2015-0291, CVE-2015-7850, CVE-2016-6384, CVE-2014-3356, CVE-2014-3354, CVE-2014-3355, CVE-2014-3299, CVE-2015-7848, CVE-2015-0289, CVE-2015-7705, CVE-2015-7703, CVE-2015-7851, CVE-2015-1799, CVE-2016-6382, CVE-2014-3359, CVE-2015-0287, CVE-2010-5298, CVE-2015-7852, CVE-2015-0209, CVE-2015-0288, CVE-2015-0285, CVE-2014-0198, CVE-2015-0643, CVE-2015-7853, CVE-2016-1350

Products:

Stratix 5900 Services Router

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5900 Security Updates

Description

Version 1.0 - April 4, 2017

Cisco Systems, Inc. ("Cisco") has reported that several vulnerabilities exist in versions the Stratix® 5900 Services Router software. The Stratix 5900 Services Router is capable of providing bridging, multi-protocol routing, and remote access services in industrial control systems.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Stratix 5900, All Versions prior to 15.6.3

VULNERABILITY DETAILS
Rockwell Automation evaluated the vulnerabilities using the Common Vulnerability Scoring System ("CVSS") v3.0.

Security Advisories that Affect this Release

CVE ID #	Headline (linked to Cisco Advisory)	CVSS v3 Score and Vector String (For a better understanding of how this score was generated, please follow the link to first.org)
CVE-2016-6393	Cisco IOS and IOS XE Software AAA Login Denial of Service Vulnerability	8.1/10 - High CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
CVE-2016-6380	Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability	8.1/10 - High CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
CVE-2016-6384	Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2016-6381	Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Fragmentation Denial of Service Vulnerability	6.8/10 - Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2016-6382	Cisco IOS and IOS XE Software Multicast Routing Denial of Service Vulnerabilities	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2016-6415	IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CVE-2016-1409	Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability	5.8/10 - Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
CVE-2016-1350	Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2016-1344	Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability	6.8/10 - Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871	Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015	7.2/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CVE-2015-1798 CVE-2015-1799	Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products	5.8/10 - Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2015-0642 CVE-2015-0643	Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2015-0646	Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2015-0207 CVE-2015-0209 CVE-2015-0285 CVE-2015-0287 CVE-2015-0288 CVE-2015-0289 CVE-2015-0290 CVE-2015-0291 CVE-2015-0292 CVE-2015-0293 CVE-2015-1787	Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products	4.0 - Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
CVE-2014-3566	SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability	4.0 - Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
CVE-2014-3359	Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-3355 CVE-2014-3356	Cisco IOS Software Metadata Vulnerabilities	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-3361	Cisco IOS Software Network Address Translation Denial of Service Vulnerability	6.8/10 - Medium CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-3354	Cisco IOS Software RSVP Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-3360	Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-3299	Cisco IOS Software IPsec Denial of Service Vulnerability	7.7/10 - High CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
CVE-2010-5298 CVE-2014-0076 CVE-2014-0195 CVE-2014-0198 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470	Multiple Vulnerabilities in OpenSSL Affecting Cisco Products	10/10 - Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2014-2113	Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-2108	Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-2109 CVE-2014-2111	Cisco IOS Software Network Address Translation Vulnerabilities	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-2106	Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE-2014-2112	Cisco IOS Software SSL VPN Denial of Service Vulnerability	8.6/10 - High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation has provided firmware version v15.6.3 as remediation for these vulnerabilities.

Product Name	Catalog Number	Suggested Actions
Stratix 5900 Services Router	1783-SRKIT	Update to v15.6.3 (Download)

Customers using affected products are encouraged to update to this latest version, which addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks.

Customers who are unable to update their software are directed toward risk mitigation strategies provided below.

Where feasible, it is recommended to use the additional precautions and risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously. Please click "Subscribe for Updates" in the upper right corner if you would like an email notification when this advisory is updated.

GENERAL SECURITY GUIDELINES

1. Help minimize any unnecessary network exposure by assessing all control system devices and/or systems, and confirm that firmware is kept up to date
2. Use proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance offers an Intrusion Prevention System and an Intrusion Detection (IDS/IPS) System, and Deep Packet Inspection (DPI) technology of the Common Industrial Protocol (CIP). With the introduction of this new product, Rockwell Automation can offer customers an intrusion detection system to provide real-time visibility in the event that a vulnerability is being exploited. The Stratix 5950 Security Appliance uses Cisco FirePOWER™ technology, which allows created rules to be processed by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged using IDS or blocked using IPS. For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document.

For additional information on deploying the Stratix 5950, please see our Deploying Industrial Firewalls within a CPwE Architecture Guide.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

Security Advisory Index, Knowledgebase article KB:54102

Industrial Firewalls within a CPwE Architecture

Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

·

KCS Status

Released

Medium

PN966 | PN966 | ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service

Published Date:

April 04, 2017

Last Updated:

April 04, 2017

CVE IDs:

CVE-2017-6024

Products:

ControlLogix 5580 and Compact Logix 5380 Progammable Automation Controller

CVSS Scores:

6.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

ControlLogix 5580 and CompactLogix 5380 Programmable Automation Controller Denial of Service

Description

Version 1.0 - April 4, 2017

A vulnerability exists in certain ControlLogix® 5580 and CompactLogix™ 5380 Programmable Automation Controllers that, if successfully exploited, can cause a Denial of Service ("DoS") condition due to memory and/or resource exhaustion. These Programmable Automation Controllers are used to control processes across several sectors, including without limitation, critical infrastructure; water/wastewater systems; entertainment; food and beverage; and automotive applications. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to help achieve completeness in its risk assessment and mitigation processes.

Customers using affected versions of this firmware are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Note: Firmware versions (for all products) prior to FRN 28.011 are not affected by this vulnerability.

ControlLogix 5580 controllers V28.011, V28.012, and V28.013.
ControlLogix 5580 controllers V29.011.
CompactLogix 5380 controllers V28.011.
CompactLogix 5380 controllers V29.011.

VULNERABILITY DETAILS
This vulnerability may allow an attacker to intentionally send a series of specific CIP-based commands to the controller and cause either:

1. A Major Non-Recoverable Fault ("MNRF") resulting in a Denial of Service condition.
2. An inability to establish new communication connections, while the attack takes place, resulting in a temporary Denial of Service condition.
This vulnerability is remotely exploitable through CIP-based networks, including EtherNet/IP. At this- time, there is no publicly known code to exploit this vulnerability. The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system, and other controls a user may have in place.

CVE-2017-6024 has been assigned to this vulnerability. A CVSS v3 base score of 6.8/10 has been assigned; for a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string is CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers using the affected controllers are encouraged to update to an available firmware revision that addresses the associated risk.

Type of Controller	Product Family	Catalog Numbers	Suggested Actions
Standard Controller	ControlLogix 5580	All Catalog Numbers in the ControlLogix 5580 Family	Update to FRN 30.011 or later (Download)
Small Controller	CompactLogix 5380	All Catalog Numbers in the CompactLogix 5380 Family	Update to FRN 30.011 or later (Download)

GENERAL SECURITY GUIDELINES
1. Block all traffic to EtherNet/IP or other CIP protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
2. Minimize network exposure for all control system devices and/or systems, and help confirm that they are not accessible from the Internet.
3. Locate control system networks and devices behind firewalls, and use best practices when isolating them from the business network.
4. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

· 54102 - Industrial Security Advisory Index

· Industrial Firewalls within a CPwE Architecture

· Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

KCS Status

Released

High

PN959 | PN959 | Connected Components Workbench™ Software Dynamic Link Library (DLL) Hijack

Published Date:

February 16, 2017

Last Updated:

February 16, 2017

Products:

Connected Components Workbench

CVSS Scores:

7.0

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Revision History

Revision Number

1.0

Revision History

Version 1.0 - February 16, 2017. Initial Release.

Revision History

Revision Number

2.0

Revision History

Version 2.0 - April 09.2020. Corrected mitigation versions from v9.01 to V12.

Introduction

Connected Components Workbench™ Software Dynamic Link Library ("DLL") Hijack

Executive Summary

Rockwell Automation received a report from independent researcher Ivan Javier Sanchez about a vulnerability in the Connected Components Workbench™ ("CCW") software. CCW is a design and configuration software that helps simplify standalone machine development by offering a single environment for controller programming, device configuration and visualization. DLL hijacking is a known and documented vulnerability that affects software running on Microsoft® Windows operating systems. The effects of this attack can range from a denial-of-service ("DoS"), to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.

As of this announcement, there is no known publicly available exploit code relating to this vulnerability.

Version 2.0 Update:
Rockwell Automation received a vulnerability report from Reid Wightman, a researcher from Dragos, reporting that additional versions of CCW continued to be affected by this vulnerability.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.

Affected Products

Connected Components Workbench - Developer Edition, v11.00.00 and earlier
Connected Components Workbench - Free Standard Edition, v11.00.00 and earlier

Vulnerability Details

Certain DLLs included with versions of CCW software can be potentially hijacked to allow an attacker to gain rights to a victim’s affected personal computer (PC). Such access rights can be at the same, or potentially higher, level of privileges as the compromised user account, including and up to computer administrative privileges.

DLL hijacking requires user interaction and thus cannot be exploited remotely. The exploits are triggered only when a local user runs the vulnerable application, which then loads the untrusted DLL file in place of the real DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run at an application with the untrusted file, or to access a malicious webpage that is susceptible to browser redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer in place of the intended DLL.

The impacts of a successful DLL hijacking attack can range from a software crash (i.e. Denial-of-Service), which would require a restart, to the injection of malicious code into trusted processes. The impact of an attack that injects malicious code is highly dependent on both the type of code included in the attack, as well as any mitigations than the user may already employ. If the software is running as a high-privileged user, any injected code will also execute with those high privileges. The malicious code can also access process memory space that stores sensitive information or additional services that may be manipulated by the modified DLL.

A CVSS v3 base score of 7.0 has been assigned; the CVSS v3 vector string is CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Risk Mitigation & User Action

Customers using versions of affected software are encouraged to take the following actions:

Apply Connected Components Workbench – Developer Edition v12.00.00 (Download) or Connected Components Workbench – Free Standard Edition v12.00.00 (Download).
Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1498 / Article ID 1125780.
Apply the risk mitigations and recommended user actions in Knowledgebase Document ID PN1499 / Article ID 1125782.

General Security Guidelines

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use of Microsoft AppLocker or another whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at Knowledgebase Article ID 546989.
Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

High

PN938 | PN938 | RSLogix 500® and RSLogix™ Micro File Parser Buffer Overflow

Published Date:

February 14, 2017

Last Updated:

February 14, 2017

CVE IDs:

CVE-2016-5814

Products:

RSLogix 500

CVSS Scores:

8.6

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSLogix 500® and RSLogix™ Micro File Parser Buffer Overflow

Description

Version 1.1 - FEBRUARY 14 - 2017

UPDATE: Feb 14, 2017 Rockwell Automation has released a new version of software, v11.00.00, which contains the remediation for this vulnerability. Affected customers are encouraged to update to the most recent release to take advantage of the latest security patches.

In June 2016, Rockwell Automation was notified by ICS-CERT of a buffer overflow vulnerability that exists in its RSLogix™ Micro Starter Lite product, a free starter programming software used to program logic for the Allen-Bradley MicroLogix™ product family.

This vulnerability is not remotely executable, and successful social engineering is required to convince a victim of using the tool to open an untrusted, specifically modified project file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as the logged-in user. The impact to the user’s environment is highly dependent on both the type of malicious code included in this attack and the mitigations that the user may already employ. Currently, there is no publicly available exploit code relating to this vulnerability.

Rockwell Automation has evaluated the report and confirmed the existence of this vulnerability in RSLogix™ Micro Starter Lite. We further investigated and confirmed this vulnerability in the additional versions of RSLogix 500® and RSLogix™ Micro. We have released updated software to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

RSLogix™ Micro Starter Lite, Versions 10.00.00 and earlier
RSLogix™ Micro Developer, Versions 10.00.00 and earlier
RSLogix 500® Starter Edition, Versions 10.00.00 and earlier
RSLogix 500® Standard Edition, Versions 10.00.00 and earlier
RSLogix 500® Professional Edition, Versions 10.00.00 and earlier

A patch for v8.40.00 is available now and is only for v8.40.00, links are provided below. The remediation will also be available in the next major revision of the software. This advisory will be updated when additional versions are available.

VULNERABILITY DETAILS

The discovered vulnerability exists in the code that opens and parses the RSLogix 500 and RSLogix Micro project files, identified by the RSS extension. In order for this vulnerability to be exploited in RSLogix 500 and RSLogix Micro, an attacker must create a malicious RSS file, which is the native file format for this software package. If the malicious project file is opened by an affected version of the product, the buffer overflow condition is exploited. Likewise, if the attack is successful, the unknown code will run at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires the attacker to successfully convince a user to open a modified project file on their machine.

Potential impacts from a successful attack could include a software crash (for example, Denial of Service) which then requires a software restart. However, in more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CVE-2016-5814 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS v3 vector string is (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

RISK MITIGATIONS

The following precautionary measures are recommended as additional risk mitigation strategies for this type of attack. If possible, multiple strategies should be employed simultaneously.

Do not open untrusted .RSS files with RSLogix 500 and RSLogix Micro.

Customers using affected versions of RSLogix 500 and RSLogix Micro are encouraged to apply the patch that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. (Note: Patch is for v8.40.00 ONLY! Do NOT apply to other versions!)

Product Family	Catalog Numbers	Software Versions	Suggested Actions
RSLogix Micro	9324-RLMx	8.40.00	878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
RSLogix Micro	9324-RLMx	Versions 10.00.00 and earlier	Update to V11.00 or later (Download)
RSLogix 500	9324-RL0x	8.40.00	878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
RSLogix 500	9324-RL0x	Versions 10.00.00 and earlier	Update to V11.00 or later (Download)

Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at 546989 - Using Rockwell Automation Software Products with AppLocker .
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation Security Advisory Index at 54102 - Industrial Security Advisory Index, and the company public security web page at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website at http://www.rockwellautomation.com/solutions/security.

If you have questions regarding this notice, please send an email to our product security inbox at: Secure@ra.rockwell.com.

ADDITIONAL LINKS

54102 - Industrial Security Advisory Index
878490 - Patch: Crash when opening project, RSLogix 500 8.40.00
ICS-CERT Advisory ICSA-16-224-02

·

Revision History:
14-FEB-2017 Version 1.1 Added details for V11.00.00.

KCS Status

Released

Medium

PN949 | PN949 | MicroLogix Controller Vulnerabilities

Published Date:

December 01, 2016

Last Updated:

December 01, 2016

CVE IDs:

CVE-2016-9338, CVE-2016-9334

Products:

MicroLogix Controller

CVSS Scores:

6.5, 2.7

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix Controller Vulnerabilities

Description

Version 1.0 - December 1, 2016

Rockwell Automation® was notified of several vulnerabilities discovered in the MicroLogix™ 1100 and MicroLogix 1400 versions of the product family. MicroLogix is a family of Programmable Logic Controllers ("PLC") used to control processes across several sectors, including Food and Agriculture, Critical Infrastructure to Water, and Wastewater Systems.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector had the potential to affect other Rockwell Automation product platforms.

Details relating to these vulnerabilities, the known affected platforms, and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.004 and earlier.
1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

VULNERABILITY DETAILS

Vulnerability #1: Hardcoded Usernames

Hardcoded username credentials on the MicroLogix 1100 and MicroLogix 1400 PLCs can reduce the effort required to obtain the full set of user credentials, which could allow unauthorized administrative access to device configuration options available through the web interface.

A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #2: Information Disclosure

Ilya Karpov reported to Rockwell Automation that user credentials, along with other information exchanged between browser and webserver are sent in clear text, which may allow an attacker to discover the credentials if they are able to observe traffic between the web browser and the server.

CVE-2016-9334 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability #3: Incorrect Permission Assignment for Critical Resource

Ilya Karpov reported to Rockwell Automation that a vulnerability exists in those instances where a user with administrator privileges goes to a specific link and remove all administrative users from the functional web service. A factory reset is required to remove the improper changes and restore the web service to this product.

CVE-2016-9338 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been assigned; the CVSS v3 vector string is: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

RISK MITIGATIONS

Customers using affected versions of the MicroLogix 1400 and MicroLogix 1100 PLCs are encouraged to update to the newest available software versions that address associated risks and include added improvements to further help harden the software and enhance its resilience against similar malicious attacks. If it is not needed for their application, customers should consider disabling the web server to further mitigate these threats.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. Employ multiple strategies when possible.

Update supported products based on this table:

Product Family	Catalog Numbers	Hardware Series	Vulnerabilities Remediated	Suggested Actions
MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series B	Vulnerability #3: Permanent DoS	- Apply FRN 15.000 or higher (Downloads) - Disable the web server. See Item #2 below for details. - Apply the additional mitigations described below.
MicroLogix 1100	1763-L16AWA 1763-L16BBB 1763-L16BWA 1763-L16DWD	Series A	None	- Disable the web server. See Item #2 below for details. - Apply the additional mitigations described below.
MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-L32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series B	All Vulnerabilities	- Apply FRN 16.000 (Downloads) - Disable the web server. See Item #2 below for details. - Apply the additional mitigations below.
MicroLogix 1400	1766-L32AWA 1766-L32AWAA 1766-LK32BWA 1766-L32BWAA 1766-L32BXB 1766-L32BXBA	Series A	None	- Disable the web server. See Item #2 below for details. - Apply the additional mitigations belowmitigations below.

Disable the webserver on the MicroLogix 1100 or the MicroLogix 1400, as it is enabled by default. See 732398 - How to disable the web server in MicroLogix 1100 and 1400 for detailed instructions on disabling the web server.
Set the keyswitch to RUN to prohibit any re-enabling of the web server while the keyswitch is in this mode.
Use trusted software, software patches, anti-virus / anti-malware programs, and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
We also recommend concerned customers continue to monitor this advisory, 54102 - Industrial Security Advisory Index and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation’s network and security services to enable assessment, design, implementation and management of validated, secure network architectures. For further information on our Vulnerability Management process, please refer to our Product Security Vulnerability FAQ document.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation, and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

Medium

PN929 | PN929 | Stratix® 5400 and Stratix 5410 ICMP IPv4 Packet Corruption Vulnerability

Published Date:

June 23, 2016

Last Updated:

June 23, 2016

Products:

Stratix 5400 Industrial Ethernet Switch, Stratix 5410 Ind Distribution Switch

CVSS Scores:

5.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Description

Version 1.0 - June 23, 2016

On May 13, 2016, Cisco disclosed a vulnerability in their Industrial Ethernet 4000 and 5000 Series switches. This vulnerability also impacts the Allen-Bradley Stratix® 5400 Industrial Ethernet Switches and the Allen-Bradley Stratix® 5410 Industrial Distribution Switches containing particular versions of IOS firmware. The discovered vulnerability is remotely exploitable and may allow an attacker to corrupt a subsequent packet traversing the device. At this time, both Rockwell Automation and Cisco are unaware of any publicly available exploit code.

Customers using affected versions of this software are encouraged to upgrade to the newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

Stratix 5400, Versions 15.2(2)EA1, 15.2(2)EA2
Stratix 5410, Versions 15.2(2)EB

No other Rockwell Automation Stratix products are currently known to be affected by this vulnerability. Stratix 5400 and Stratix 5410 Switches running any versions other than those listed above are not affected by this vulnerability.

To determine if your Stratix 5400 switch or Stratix 5410 switch is using the above firmware, please refer to KB55484: Upgrading or verifying Stratix Firmware.

VULNERABILITY DETAILS

A vulnerability in the packet processing microcode of Stratix 5400 and Stratix 5410 switches could allow an unauthenticated, remote attacker to corrupt packets enqueued on the device for further processing.

The vulnerability is due to improper processing of some Internet Control Message Protocol ("ICMP") IPv4 packets. An attacker could exploit this vulnerability by sending ICMP IPv4 packets to an affected device. A successful exploit could allow an attacker to corrupt the packet enqueued for transmission immediately after the anomalous packet. This may impact control traffic to the device itself (Address Resolution Protocol (ARP) traffic) or traffic transiting the device.

Cisco’s product security disclosure for their Industrial Ethernet 4000 and 5000 Series switches is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160513-ies

A CVSS v3 base score of 5.8 has been assigned to this vulnerability by Rockwell Automation. The CVSS v3 vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N).

CUSTOMER RISK MITIGATIONS AND REMEDIATION

Customers using affected versions of the Stratix 5400 and Stratix 5410 software are encouraged to upgrade to the newest available versions that address associated risk with this vulnerability. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

Upgrade affected products per the table below:

Product Hardware Series Mitigations

Stratix 5400 Industrial Ethernet Switches Series A Apply version 15.2(4)EA3 or newer (Download)

Stratix 5410 Industrial Distribution Switches Series A Apply version 15.2(4)EA3 or newer (Download)

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

KCS Status

Released

High

PN930 | PN930 | FactoryTalk® EnergyMetrix™ Authentication Vulnerabilities

Published Date:

June 21, 2016

Last Updated:

June 21, 2016

CVE IDs:

CVE-2016-4522, CVE-2016-4531

Products:

FactoryTalk EnergyMetrix

CVSS Scores:

7.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Description

Version 1.0 - June 21, 2016

Rockwell Automation has internally discovered and remediated two authentication-based vulnerabilities in the Rockwell Software FactoryTalk® EnergyMetrix™ product. FactoryTalk EnergyMetrix is a web-enabled management software package that gives you access to critical energy information, and allows you to capture, analyze, store, and share energy data with key stakeholders using a standard web browser.

The first vulnerability concerns user credentials that are not immediately invalidated after an explicit logout action is performed by the user, which may allow an attacker to use these credentials in perpetuity. The second vulnerability is an SQL Injection vulnerability which may allow an attacker to access the FactoryTalk EnergyMetrix system without valid user credentials. Both vulnerabilities are exploitable remotely. At this time, there is no known publicly available exploit code relating to the vulnerabilities.

Rockwell Automation has examined associated vectors and revised product software has been released to address risks. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

FactoryTalk EnergyMetrix v2.10.00 and earlier

VULNERABILITY DETAILS

Authenticated User Token Remains Valid after Logout

When a user explicitly logs out of their FactoryTalk EnergyMetrix account, their authentication token is not immediately invalidated by the system. An attacker who obtained this token would be able to access the FactoryTalk EnergyMetrix system at the same privilege level as the user, by resending the captured token with their request.

CVE-2016-4531 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

SQL Injection

A SQL injection vulnerability allows privilege escalation by an anonymous user, which can result in access to administrative functions of the FactoryTalk EnergyMetrix system. A successful attack results in privileged access to the application and its data files but not to the underlying computer system. The impact of this vulnerability is highly dependent on the user’s environment and the level of privilege the web server service account has with its associated database.

CVE-2016-4522 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

RISK MITIGATIONS

Rockwell Automation recommends that asset owners evaluate the impact with each of these vulnerabilities within their environment, and apply the following suggested mitigations which are applicable. When possible, multiple strategies should be employed simultaneously.

Customers using affected versions of FactoryTalk EnergyMetrix software are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks.

Product Family	Catalog Numbers	Software Versions	Suggested Actions
FactoryTalk EnergyMetrix	9307-FTEM*	V2.10.00 and earlier	Apply version 2.20.00 or later; Version 2.30 or later is recommended. (Downloads)

Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Configure and enable HTTPS on your EnergyMetrix server, which protects the confidentiality and integrity of information exchanged between the web browser and server.
Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

LINKS

Security Advisory Index, Knowledgebase article KB:54102

KCS Status

Released

PN886 | PN886 | MicroLogix Web Redirect Vulnerability

Published Date:

September 17, 2015

Last Updated:

September 17, 2015

Products:

MicroLogix Web Redirect

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix Web Redirect Vulnerability

Description

September 17, 2015 - Version 1.0

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 product family. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public. ICS-CERT published an alert (ICS-ALERT-15-225-02A) to cover this vulnerability.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability in the MicroLogix 1400, and further discovered and reproduced the vulnerability in the MicroLogix 1100 product family. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.002 and earlier.
1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

Rockwell Automation will resolve this vulnerability in the next minor revision of product firmware, currently expected to be available in the October 2015 timeframe. This advisory will be updated to provide upgrade information when it is available.

VULNERABILITY DETAILS

The vulnerability in the MicroLogix’s webserver allows an attacker to inject arbitrary web content into an unsuspecting user’s web browser by using a built-in feature to "redirect" outside web content into the product’s web pages. This outside web content could contain malicious content that would target the web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the MicroLogix itself. Instead, the MicroLogix is used as a vehicle to deliver an attack to a device running a web browser.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

RISK MITIGATIONS

Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
Locate control system networks and devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

KCS Status

Released

Medium

PN869 | PN869 | RSView32 Weak Encryption Algorithm on Passwords

Published Date:

April 30, 2015

Last Updated:

April 30, 2015

Products:

RSView32

CVSS Scores:

4.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSView32 Weak Encryption Algorithm on Passwords

Description

April 30, 2015 - Version 1.0

A vulnerability has been discovered by Vladimir Dashchenko and Dmitry Dementjev, Information Security Analysts at Ural Security System Center (USSC), in the encryption approach used by specific versions of RSView32 software to protect the contents of a file containing user-defined passwords. The passwords stored within the file are used to authenticate users in order to grant access to the software and user-created content.

Rockwell Automation has verified the validity of Mr. Dashchenko and Dementjev’s discovery and a software patch has been release for RSView32 that enhances the security of the mechanism used to create, manage and make-use of user-defined passwords by the software. Customers who continue to use affected versions of the software are encouraged at a minimum to apply this patch, or migrate to more contemporary Rockwell Automation solutions. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name	Version
RSView32	All software versions up to and including RSView32 - 7.60.00 (CPR9 SR4)

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

A vulnerability has been discovered in the encryption approach used by RSView32 to create a password storage file used with the software.

User-defined usernames and passwords for RSView32 are stored within the users.act file. The associated weakness in the file is a result of the software using a weak and outdated encryption algorithm. The technology weakened password complexity prior to encrypting the password. In addition, the algorithm’s strength has decreased over time as compared to more contemporary encryption technologies. Content encrypted with this older algorithm, such as the users.act file, may be susceptible to unauthorized decryption. If successfully exploited, user-defined passwords can be learned.

For such exposure, an attacker must first gain access to the specific password storage file, or to a copy of the file that is stored local to the RSView32 product. In order to gain such access, the security of the local machine would need to be compromised in some way to allow local or remote access, or some form of successful social-engineering would be needed to convince a victim to grant access to, or supply the particular file to a malicious third party. To make use of the passwords to access user-defined RSView32 protected content, an attacker would similarly need to reverse-engineer the decryption algorithm to learn the plain text, before being able to authenticate and gain access to that protected content.

At this time there is no known publicly available exploit code.

CUSTOMER RISK MITIGATION AND REMEDIATION

A software patch has been released for RSView32 to mitigate risk associated with the discovered vulnerability. Customers using affected versions of the RSView32 are encouraged to apply this patch and take added precautions as outlined herein.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

Apply the following patch if using an affected software version:

Software

Catalog Number

Affected Software

Recommendation

RSView32

9301-2SEx

All software versions
prior to, not including
RSView32 - 7.60.00 (CPR9 SR4)

>>>

Apply reference software patch:

RSView32 - 7.60.6.11

https://rockwellautomation.custhelp.com
/app/answers/detail/a_id/635640

Limit access to assets with RSView32 and other software only to authorized personnel.
Restrict network access to assets with RSView32 and other software as appropriate.
Use trusted software and software patches that are obtained only from highly reputable sources.
Interact with, and only obtain software and software patches from trustworthy websites.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
Maintain layered physical and logical security, defense in depth design practices for the ICS.
Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.
Upgrade the affected product to a more contemporary, in-support product and compatible operating system; Establish a patch management and product upgrade strategy too*

*ONGOING RISKS AND PRODUCT MIGRATION
The RSView32 product has inherent technical limitations that are likely to make subsequent security patches more difficult, if not altogether infeasible in the future. Furthermore, RSView32 is not compatible with certain contemporary versions of the Microsoft Windows® operating system. While this particular product patch helps to mitigate a very specific security risk, it has no positive effect on other known and unknown vulnerabilities in the Windows OS on which the product is installed and operates. In addition, some Windows versions (with which the product still operates) are no longer in support by the manufacturer, yet they are known to be highly susceptible to a variety of significant, unpatchable security risks.

We recommend customers consider upgrading their software and compatible operating systems to more contemporary versions everywhere possible. In parallel, customers should adopt measures to keep products current and patched.

For those customers who choose to continue using RSView32, we strongly recommend they upgrade the operating system on which the product runs to a compatible version that is as current as possible and is still in support by the manufacturer. When this compatibility can no longer be assured, or the operating system support expires, Rockwell Automation stands ready to help our customers migrate to contemporary solutions as we also help protect and leverage their previous investments.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Medium

PN852 | PN852 | RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Published Date:

April 20, 2015

Last Updated:

April 20, 2015

Products:

RSLinx Classic (Single Node

CVSS Scores:

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

RSLinx Classic File Input Buffer Overflow in OpcTest.exe

Description

April 20, 2015 - version 1.0

A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in a non-critical software component distributed with certain versions of the RSLinx Classic product. The included executable, OpcTest.exe, is a test client for RSLinx’s support of the OPC-DA protocol. The discovered vulnerability is not remotely exploitable and successful social engineering is required to convince a victim to use the test client to open an untrusted, specifically modified CSV file on a target computer. A successful attack may potentially allow malicious code to execute on the target computer at the same privilege level as OpcTest.exe. At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and a new software release has been issued for RSLinx Classic that includes a new version of OPCTest.exe to address the associated risk. Customers using affected versions of this software are encouraged to upgrade to this newest available software version. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name	Version
RSLinx Classic	All versions prior to, not including 3.73.00

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

OpcTest.exe has a capability to import a comma-separated values (CSV) file, containing lists of tags and groups, so that the software user can easily subscribe to these items from the RSLinx Classic software. The discovered vulnerability is within the OpcTest.exe code that parses this CSV content. In certain cases where a uniquely crafted or altered file is used, the OpcTest.exe parser code execution can encounter a buffer overflow, which has potential to modify the stack and allow the execution of unknown code on the affected computer. If successful, such unknown code will be running at the same privilege level as the user who is logged into the machine.

Exploitation of this vulnerability requires an attacker to convince a user to introduce or replace CSV files with specifically created or modified CSV files that have been constructed to use this buffer overflow condition to successfully execute malicious code.

Potential impacts from a successful attack could include a software crash (e.g. Denial of Service) thereby requiring a software restart. In more extreme cases, the victim may not even be aware of vulnerability exploitation while an attacker has established a position on the client asset. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

CUSTOMER RISK MITIGATION AND REMEDIATION

Customers using affected versions of the RSLinx Classic are encouraged to upgrade to the newest available software versions that address associated risk and include added improvements to further harden the software and enhance its resilience against similar malicious attacks. Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

Do not open untrusted CSV files with OPCtest.exe

Upgrade affected products as follows:

Software

Catalog Number

Affected Software

Recommendation

RSLinx Classic

9355-WABSNENE; 9355-WABOEMENE; 9355-WABGWENE

All software versions prior to 3.72.00.01

>>>

Upgrade to 3.73.00 or higher (available now)

Choose "RSLinx Classic (9355-WABx)" -- http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?keyword=9355-WAB

Limit access to those assets with RSLinx Classic and other software to authorized personnel.
Run all software as User, not as an Administrator.
Restrict network access to assets with RSLinx Classic and other software as appropriate.
Use trusted software and software patches that are obtained only from highly reputable sources.
Interact with, and only obtain software and software patches from trustworthy websites.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
Maintain layered physical and logical security, defense in depth design practices for the ICS.
Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Medium

PN851 | PN851 | FactoryTalk Services Platform and FactoryTalk View Studio DLL Hijacking Vulnerability

Published Date:

February 12, 2015

Last Updated:

February 12, 2015

Products:

FactoryTalk View SE, FactoryTalk View ME

CVSS Scores:

6.9

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Services Platform and FactoryTalk View Studio DLL Hijacking Vulnerability

Description

February 12, 2015 - version 1.0

A vulnerability has been discovered by independent researcher Ivan Javier Sanchez in software components that comprise and are shared by the FactoryTalk Services Platform used in FactoryTalk-branded product and FactoryTalk View Studio.

These vulnerabilities are not exploitable remotely without user interaction. The exploits are only triggered when a local user runs the vulnerable application, and it loads the malformed DLL file. Exploiting this vulnerability relies on successful social engineering of a victim to run an untrusted file or to access a malicious webpage using a browser susceptible to redirection. These actions could allow an untrusted binary or DLL to be loaded into the memory of a client computer.

At this time there is no known publicly available exploit code.

Rockwell Automation has verified the validity of Mr. Sanchez’ discoveries and released new FactoryTalk Services Platform and FactoryTalk View Studio software to address associated risk. Customers using affected versions of this software are encouraged to upgrade to the newest available software versions or apply appropriate patches as indicated below. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures are provided herein.

AFFECTED PRODUCTS

The following software has been confirmed to be susceptible to the reported vulnerability:

Software Name	Version	Verify Software Version Method
FactoryTalk Services Platform (FTSP)	All versions prior to and not including 2.71	Software version can be verified using Windows Add/Remove programs utility
FactoryTalk View Studio	Version 8.00.00 and all prior versions	Software HelpAbout

VULNERABILITY DETAILS, RISK and POTENTIAL IMPACTS

It was discovered that certain DLLs (Dynamic Link Library) that are included with older versions of FactoryTalk Services Platform and View Studio software can be potentially hijacked to allow an attacker to gain access rights to a victim’s affected PC. Such access rights can be at the same, or potentially higher level of privileges as the compromised user account, including up to computer administrative privileges.

DLL hijacking is a known and documented vulnerability affecting Microsoft Windows operating systems. Exploitation of this vulnerability typically requires social engineering to successfully introduce a malicious DLL onto a target computer and within a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.

To exploit this vulnerability, an attacker would either have to breach account access or get someone to install software or a specific DLL that was not approved. The malicious DLL would need to be installed onto the target computer in a specific file directory set as the default DLL search path for the particular edition of Microsoft Windows operating system.

When a DLL vulnerability is exploited, trusted software can unknowingly load an untrusted DLL in place of the intended DLL. Its effects can range from a software crash (i.e. Denial of Service) requiring software restart, to more significant events such as the injection of malicious code into trusted processes. The malicious code can also access process memory space that may store sensitive information or additional services that may be manipulated by the modified DLL.

CUSTOMER RISK MITIGATION AND REMEDIATION

Although there are no known exploits at this time, customers using affected versions of the FactoryTalk Services Platform and View Studio are encouraged to upgrade to the newest available software versions where possible, or to apply appropriate patches.

Upgrade affected products as follows:

Software

Catalog Number

Affected Firmware

Recommendation

FactoryTalk Services Platform (FTSP)

N/A

All software versions prior to and not including 2.71.00

>>>

Upgrade to V2.71.00 or higher (available now)

If an upgrade is not currently possible, apply Patch V2.70.00: KB#631115

Note: This software is included with Studio 5000™ software Version 24 and higher.

FactoryTalk View Studio

9701-VWSS000LENE

Version 8.00.00 and all prior versions

>>>

Apply software patch for V8.00.00 or higher: KB#631115

Note: When available, FactoryTalk View Studio V8.10.00 will include this standalone software patch.

If a patch is not available for your system, customers are still advised to maintain good practices to not allow unauthorized access/software in their production systems.

Where feasible, additional precautions and risk mitigation strategies to this type of attack, like those listed below are similarly recommended. When possible, multiple strategies should be employed simultaneously.

Limit access to those assets with FactoryTalk branded software, including View Studio and other software to authorized personnel
Run all software as User, not as an Administrator
Restrict network access to assets with FactoryTalk branded software, including View studio and other software as appropriate
Use trusted software and software patches that are obtained only from highly reputable sources.
Interact with, and only obtain software and software patches from trustworthy websites.
Where possible, run only the newest versions of reputable web browsers that include enhanced protections against browser redirection.
Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
Follow good network design practices that include network separation and segmentation, use of DMZs with properly configured firewalls to selectively control and monitor traffic passed between zones and systems.
Maintain layered physical and logical security, defense in depth design practices for the ICS
Reaffirm with employees the importance for constant vigilance, especially the ongoing potential for social engineering attacks to manipulate otherwise normal user behaviors.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High

PN841 | PN841 | Connected Components Workbench (CCW) ActiveX Component Vulnerability

Published Date:

November 03, 2014

Last Updated:

November 03, 2014

Products:

Connected Components Workbench

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Connected Components Workbench (CCW) ActiveX Component Vulnerability

Description

Original Release: October 14, 2014 - Version 1.0

November 3, 2014 - Version 1.1 (UPDATE-A)

<<< START UPDATE-A >>>

A vulnerability has been reported affecting two custom ActiveX components provided with the Connected Components Workbench (CCW) software. If exploited, it will crash a targeted component and it can potentially allow for arbitrary code injection on the computer hosting the component. The vulnerability is both locally and remotely exploitable via a successful social engineering attack, such as an attack that targets a victim or victims via a phishing campaign. At this time there is no known publicly available exploit code.

<<< END UPDATE-A >>>

Rockwell Automation has verified the validity of the vulnerability claim and released a new software build, Version 7.00.00 to address associated risk. In parallel, other CCW software components in this new build have been bolstered as a result of the company’s focus on security-quality and continuous improvement. All customers using CCW software prior to Version 7.00.00 are strongly encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS

All software versions prior to and including Version 6.01.00 of Connected Component Workbench (CCW) Software
Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

EXPOSURE

All computers with Connected Component Workbench (CCW) Software Version 6.01.00 and earlier.
Note: CCW Version 7.00.00 and higher are not susceptible to the reported vulnerability.

<<< START UPDATE-A >>>

VULNERABILITY DETAILS

The reported CCW ActiveX vulnerability is the result of a software coding error that was further compounded by the use of an older version of a compiler used to create the custom ActiveX components. The vulnerability allows an attacker to send an arbitrary, out of range value to a particular property of an affected ActiveX component to crash its operation and then potentially allow for an execution of unauthorized code on the computer hosting the software.

Neither the CCW software, nor the vulnerable ActiveX components necessarily need to be running for an attack to be successful.

The attack vector to exploit this vulnerability first requires a user with local access to the computer containing both a susceptible ActiveX component and a container to either knowingly or unknowingly execute some form of malicious code. Such code could likely be delivered via the loading of an infected webpage or some document opened in a web browser or other container capable of running ActiveX controls. A plausible attack scenario could begin with a phishing attack, whereby a victim is convinced to open and run a malicious HTML file or other such infected file, or to visit a maliciously-altered webpage that has been tailored to specifically exploit this vulnerability in an affected ActiveX component.

<<< END UPDATE-A >>>

Potential impacts from a successful attack could include a simple crash of CCW software (e.g. Denial of Service), thereby requiring a software restart to recover from the crash. In more extreme cases, the victim may not even be aware of vulnerability exploitation since neither CCW nor an affected ActiveX component needs to be running for an attacker to inject malicious code to the susceptible software component. A successful attack that includes malicious code injection may potentially grant the attacker the same, or higher privilege-level as the victim on the affected computer, up to and including computer administrative privileges.

RISK MITIGATION AND REMEDIATION

A new version of CCW software, Version 7.00.00 has been released to address associated risk with the vulnerability in the affected ActiveX components. This same software release also includes added software improvements to enhance product security and resilience against similar malicious attacks. All customers using CCW software are encouraged to upgrade to Version 7.00.00 or newer at their earliest convenience.

The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.

Upgrade Connected Component Workbench (CCW) software as follows:

Software

Catalog Number

Affected Firmware

Recommendation

Connected Component Workbench (CCW) Software

CCW - Free and Developer Edition (Dev Ed)

All CCW software versions prior to, and including Version 6.01.00

Upgrade to CCW Version 7.00.00 or higher

(available now).

Refer to additional recommended risk mitigations as provided herein.

Current CCW software can be obtained here:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112

Product Search: CCW Version: 7.00.00 (or higher)

Limit access to computers with Connected Components Workbench (CCW) to only authorized personnel.
Run Connected Components Workbench (CCW) software as User, not as an Administrator
Use only trusted software and software patches, and download and interact only with trusted files and webpages.
Restrict network access for computers that include Connected Components Workbench software.
Where possible, run newest version of Internet Explorer web browser and other ActiveX containers.
Where possible, disable ActiveX capabilities in web browsers or consider using browsers without ActiveX support.
Closely scrutinize any user-prompts received from web browsers or other ActiveX containers.
Employ layered security, defense-in-depth methods, including administrative controls such as emloyee training and awareness, and technical controls such as network segregation and segmentation practices in the system design to restrict and control access to individual products and control networks.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

High

PN836 | PN836 | MicroLogix 1400 DNP3 Denial of Service Vulnerability

Published Date:

September 09, 2014

Last Updated:

September 09, 2014

Products:

MicroLogix 1400 DNP3

CVSS Scores:

7.5

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix 1400 DNP3 Denial of Service Vulnerability

Description

September 9, 2014 - Version 1.0

Rockwell Automation was notified by independent researcher Matthew Luallen of CYBATI (https://cybati.org/) and ICS-CERT of a Denial of Service (DoS) vulnerability to the DNP3 implementation of the Allen-Bradley MicroLogix 1400 controller platform. At this time, there is no known publicly available exploit code relating to the vulnerability. Rockwell Automation has verified Mr. Luallen’s discovery and released revised product firmware to address associated risk. Refer to the following for additional details relating to the vulnerability, affected product and recommended countermeasures.

AFFECTED PRODUCTS
In collaboration with Mr. Luallen, Rockwell Automation has determined certain Allen-Bradley MicroLogix 1400 controller platforms are affected by this vulnerability:

1766-Lxxxxx Series A FRN 7 or earlier;
1766-Lxxxxx Series B FRN 15.000 or earlier

Note: DNP3 communication is disabled by default in the product.

VULNERABILITY DETAILS
DNP3 communication is disabled by default in the MicroLogix 1400 product. If the DNP3 capability is enabled, specific versions of the product become susceptible to a Denial of Service (DoS) attack that can be triggered when the product receives a particular series of malformed packets over its Ethernet or local serial ports that are directed at the link layer DNP3 header.

Successful exploitation of this vulnerability results in a disruption of the DNP3 application layer process and a loss of product communication and availability on the network, thereby resulting in a denial of service condition. Exploitation of the vulnerability can be triggered remotely and the attack is repeatable. Furthermore, the DoS results will be successful regardless of controller’s mode switch setting.

Product recovery from the denial of service condition requires a power cycle, yet the product will remain susceptible to subsequent attacks until the vulnerability is addressed or the threat is adequately mitigated or removed.

RISK MITIGATIONS
A new version of MicroLogix 1400 Series B firmware has been released to address the vulnerability and reduce associated risk to successful exploitation. Subsequent versions of MicroLogix 1400 Series B firmware and newer will incorporate these same enhancements.

The following immediate mitigation strategies are recommended. When possible, multiple strategies should be employed simultaneously.

1. Upgrade all MicroLogix 1400 controllers per the following table:

Controller Platform

Catalog Number

Affected Firmware

Recommendation

MicroLogix 1400

1766-L32xxxx

Series B FRN 15.000 and earlier.

Series A

à

Upgrade to Series B FRN 15.001 or higher (available now).

Refer to additional recommended risk mitigations as provided herein.

Current firmware for the MicroLogix 1400 Series B platform can be obtained here:

http://www.rockwellautomation.com/rockwellautomation/support/pcdc.page

2. Do not enable DNP3 communication in the product unless required.

3. Where appropriate, prohibit DNP3 communication that originates outside the perimeter of the Manufacturing Zone from entry into the Zone by blocking communication directed at Ethernet communication port 20000/TCP* and 20000/UDP* using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

*Note: Ports 20000/TCP and 20000/UDP are factory defaults as per the DNP3 specification, but can be reconfigured by the product owner.

4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

5. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

6. Employ layered security, defense-in-depth methods and network segregation and segmentation practices in system design to restrict and control access to individual products and control networks. Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Flagged - Formatting

Medium

PN792 | PN792 | FactoryTalk Activation Manager Unnecessary Third-party Service

Published Date:

November 08, 2013

Last Updated:

November 08, 2013

Products:

Third Party, FactoryTalk Services Platform

CVSS Scores:

5.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Activation Manager Unnecessary Third-party Service

Description

November 8, 2013 - version 1.0

During the installation of FactoryTalk Activation Manager, a software service from SafeNet Technologies called the Sentinel Local License Manager is automatically installed along with drivers for the USB activation dongles sometimes used with FactoryTalk Activation. These USB dongles are manufactured by SafeNet Technologies.

The Sentinel Local License Manager service is configured to start automatically on the Windows host. Furthermore, the service listens on three (3) communication ports: 1947/TCP, 1947/UDP, and an additional variable UDP port.

Recent evaluation of FactoryTalk Activation manager has determined the Sentinel Local License Manager service is unnecessary when SafeNet USB activation dongles are used with FactoryTalk Activation. The service is also unnecessary or for the operation of any Rockwell Automation products.

Additionally, security testing has identified the Sentinel Local License Manager service may fail when the specific communication ports it listens on become overwhelmed, or when specifically crafted traffic is directed at these ports and the accompanying service. The failure of the Sentinel service is trapped in software. No indications have been observed for potential code injection or successful escalation of privilege on the host.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in FactoryTalk Activation Manager. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS

FactoryTalk Activation Manager v3.30 and greater on all Microsoft Windows operating systems is affected.

RISK MITIGATION

Rockwell Automation recommends disabling the SafeNet Sentinel Local License Manager service (hasplms.exe) unless specifically required by a non-Rockwell Automation application. Instructions for performing this operation are found in Knowledge Base (AID:570831). In addition, when a host-based firewall is available, we recommend blocking communication ports 1947/TCP and 1947/UDP on the host computer.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

PN744 | PN744 | MicroLogix, SLC 500 and PLC5 Controller Vulnerability

Published Date:

August 02, 2013

Last Updated:

August 02, 2013

Products:

MicroLogix, SLC 500 and PLC5 Controller Vulnerability

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

MicroLogix, SLC 500 and PLC5 Controller Vulnerability

Description

Released: October 26, 2012

Updated: August 2, 2013 <Update A>

On September 14, 2012, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 controller platform. Details relating to this vulnerability, including the existence of exploit code, have been made public by the researcher at various training events. At this time, no known exploit code relating to this vulnerability has been released to the public.

On October 2, 2012 Rockwell Automation independently initiated and maintained direct contact with the researcher to obtain pertinent facts relating to this matter due to lack of sufficient details shared through ICS-CERT. We continue to work with the researcher directly and keep him apprised of the expanded scope of impact from his initial findings.

As a matter of course, Rockwell Automation expanded scope of this evaluation beyond the MicroLogix 1400 platform in order to determine if this same threat-vector has potential to impact other A-B controller platforms. Rockwell Automation has reproduced the vulnerability. Due to the breadth of platforms potentially affected, we have been conducting thorough evaluations to ensure completeness in our risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PLATFORMS
Rockwell Automation has determined the following A-B products are affected by this vulnerability:

MicroLogix 1100 controller
MicroLogix 1200 controller (all versions prior to 13.000)
MicroLogix 1400 controller
MicroLogix 1500 controller (all versions prior to 13.000)
SLC 500 controller platform
PLC5 controller platform

VULNERABILITY DETAILS

MicroLogix Controller Platform
The vulnerability in the MicroLogix controller platform occurs due to inadequate write protection measures on the controller’s Status file.

The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

SLC 500 Controller Platform
The vulnerability in the SLC 500 controller platform occurs when the controller’s Status file property is not set to "Static," thereby allowing changes to the file contents.

When the SLC 500’s Status file is not configured to "Static," the SLC 500 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

PLC5 Controller Platform
The vulnerability in the PLC5 controller platform occurs when the controller’s "Password and Privileges" feature is disabled.

When the Passwords and Privileges feature of the PLC5 controller is not enabled, the PLC5 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

RISK MITIGATIONS

MicroLogix Controller Platform

Product	Recommended Action
MicroLogix 1100 controller	Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html
MicroLogix 1200 controller	Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html
MicroLogix 1400 controller	Upgrade product firmware to release 14.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html
MicroLogix 1500 controller	Upgrade product firmware to release 13.000 or greater http://www.ab.com/linked/programmablecontrol/plc/micrologix/downloads.html

In addition to the above product-level mitigations, Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

5. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

We will communicate additional mitigation strategies to our concerned customers should more direct product-level mitigations be developed that can further reduce associated risk from this vulnerability.

SLC 500 Controller Platform
Remote attempts to write data to the SLC 500 platform’s Status file are ignored and discarded by setting the controller’s Status file properties to "Static" via RSLogix 500 software.

Rockwell Automation recommends where possible that the Status file "Static" configuration setting be enabled to reduce the likelihood of successful exploitation of the vulnerability. The "Static" file property setting is configured in the Status File Properties page of RSLogix 500 software.

PLC5 Controller Platform
Remote attempts to write data to the PLC5 platform’s Status file are ignored and discarded by using the controller’s "Password and Privileges" feature, configured via RSLogix 5 software.

Rockwell Automation recommends where possible that the Passwords and Privileges feature be enabled to reduce the likelihood of successful exploitation of the vulnerability.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

High

PN759 | PN759 | FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Published Date:

June 28, 2013

Last Updated:

June 28, 2013

Products:

FactoryTalk Linx / RSLinx Enterprise

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability

Description

April 5, 2013

Updated: June 28, 2013

Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based
Security (www.riskbasedsecurity.com) identified vulnerabilities that affect a software component of the
FactoryTalk™ Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise
software (LogReceiver.exe and Logger.dll). These vulnerabilities have been confirmed to be remotely
exploitable which can lead to termination of affected software services and Denial of Service conditions.

To date, Rockwell Automation is not aware of any known cases of successful exploitation of these
vulnerabilities in operational systems. Furthermore, we are not aware of publicly available proof of
concept exploit code.

Rockwell Automation worked directly with Mr. Eiram to verify his findings, determine root cause and
validate the resulting software patches being issued for the FactoryTalk Services Platform and RSLinx
Enterprise software. Given the company’s focus on continuous improvement, added steps are being taken to
further enhance the development and testing processes associated with these products. As a result,
additional product hardening enhancements have been included in the referenced software patches and will
continue to be deployed via forthcoming product releases.

AFFECTED PRODUCTS

All FactoryTalk-branded software, including CPR9-SR0 through SR6
All RSLinx Enterprise software, prior to and including CPR9 and CPR9-SR1 through SR6

VULNERABILITY DETAILS AND IMPACTS

FACTORYTALK SERVICES PLATFORM
(RNADiagnostics.dll)

The software components exhibit a vulnerability as a result of missing input validation and improper
exception handling with streaming data. A specially crafted packet sent to TCP port 5241 will result in
a crash of the RsvcHost.exe service. A successful attack will result in the following:

Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.
Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe
diagnostic service.

The vulnerability can be exploited remotely from a network-based attack; however, no possibility of
malicious code injection or escalation of privilege on the host machine is known to result from
successful exploitation. There is also no indication that exploitation will directly disrupt operation
of a Rockwell Automation programmable controller, operator interface or other networked device connected
elsewhere in the local control system.

RSLINX ENTERPRISE SOFTWARE
(LogReceiver.exe and Logger.dll)

These software components exhibit a vulnerability as a result of a logic error in the service’s handling
of incoming requests on UDP port 4444 (user-configurable, but not enabled by default) of zero or large
byte datagrams. When successfully exploited, the vulnerability will cause the thread receiving data to
exit, resulting in the service silently ignoring further incoming requests. A successful attack will
result in two respective conditions:

Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.
Crash condition that disrupts further execution of the LogReceiver.exe

The vulnerability can be exploited remotely with the potential for code injection; however, no
possibility of escalation of privilege on the host machine is known to result from successful
exploitation. Although theoretical, a possibility of remote code execution has been identified. There
is also no indication that exploitation will directly disrupt operation of a Rockwell Automation
programmable controller, operator interface or other networked device connected elsewhere in the local
control system.

< Update Start>

As a result of additional analysis conducted by Risk Based Security, Inc. of the LogReceiver.exe service, additional enhancements have been made to the LogReceiver.exe to further increase resiliency of the service.

< Update End >

RISK MITIGATION

Software patches for affected FactoryTalk Services Platform and RSLogix Enterprise software are being
released to mitigate associated risk:

Product Description	Affected Versions	Recommendations
FactoryTalk Services Platform (FTSP)	CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4,	Upgrade to FTSP CPR9-SR5 or newer
	CPR9-SR5	Apply patch: AID#522048 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522048
	CPR9-SR5.1	Apply patch: AID#522049 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522049
	CPR9-SR6	Apply patch: AID#522052 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/522052

Product Description	Affected Versions	Recommendations
RSLinx Enterprise	CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4,	Upgrade to RSLinx CPR9-SR5 or newer
	CPR9-SR5	Apply patch: AID# 544798 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/544798 Update: AID# 534705 has been replaced with AID: 544798 which includes additional security enhancements.
	CPR9-SR5.1	Apply patch: AID# 545535 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545535 Update: AID# 537302 has been replaced with AID: 545535 which includes additional security enhancements.
	CPR9-SR6	Apply patch: AID#545537 https://rockwellautomation.custhelp.com/app/answers/detail/a_id/545537 Update: AID# 535962 has been replaced with AID: 545537 which includes additional security enhancements.

Corrective actions have been taken to help ensure subsequent software versions of FactoryTalk Services
Platform, including FactoryTalk Diagnostics, and RSLinx Enterprise will remain free of this
vulnerability.

In addition to applying the above patches, to help further reduce the likelihood of compromise and the
associated security risk, Rockwell Automation recommends the following immediate mitigation strategies.
When possible, multiple strategies should be employed simultaneously:

The RNADiagReceiver.exe service should only run on servers that will receive diagnostics from PanelView
Plus terminals. It is advisable to disable this service via Microsoft Windows Service Control Panel for
servers that do not require this service.
Configure firewalls to block the following TCP ports to prevent traversal of RNA messages into/out of
the ICS system:

1330
1331
1332
4241
4242
4445
4446
5241
6543
9111
60093
49281

We also recommend concerned customers remain vigilant and continue to follow security strategies that
help reduce risk and enhance overall control system security. Where possible, we suggest you apply
multiple recommendations and complement this list with your own best-practices:

Employ layered security and defense-in-depth methods in system design to restrict and control access to
individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for
comprehensive information about implementing validated architectures designed to deliver these measures.
Restrict physical and electronic access to automation products, networks and systems to only those
individuals authorized to be in contact with control system equipment and perform product firmware
upgrades to that equipment.
Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

Concerned customers are encouraged to continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information
relating to this matter.

For more information and for assistance with assessing the state of security of your existing control
system, including improving your system-level security when using Rockwell Automation and other vendor
controls products, you can visit the Rockwell Automation Security Solutions web site at
http://www.rockwellautomation.com/solutions/security

KCS Status

Released

PN758 | PN758 | Stratix 5700, 8000 and 8300 Weak Password Vulnerability

Published Date:

April 02, 2013

Last Updated:

April 02, 2013

Products:

Ethernet/IP Network

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Stratix 5700, 8000 and 8300 Weak Password Vulnerability

Description

April 2, 2013 - version 1.0

Rockwell Automation has become aware of a weak password protection implementation affecting Allen-Bradley brand Stratix™ managed Ethernet switch firmware. This weakness affects Stratix 5700, 8000 and 8300 managed switches products that contain particular versions of IOS® firmware that employ a Type 4 (SHA256) cryptographic password hash algorithm.

Due to an implementation issue in affected IOS versions, a user-provided password that has been hashed using the IOS Type 4 algorithm implementation is less resilient to brute-force attacks than a Type 5 hashed password of equivalent complexity. Successful exploitation of this weakness can lead to unauthorized access to the product.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in Stratix 5700, 8000 or 8300 products. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS
The following Stratix managed Ethernet switches are affected:

Stratix 5700 firmware release 15.0(1)EY1. This firmware ships on all Stratix 5700 catalog items.
Stratix 8000 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8000. It would reside on a Stratix 8000 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
Stratix 8300 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8300. It would reside on a Stratix 8300 only after the product’s initial shipment and only if intentionally downloaded to the hardware.

To determine if a Stratix 8000 or Stratix 8300 is using the above firmware, you can reference the software field located on the dashboard of Device Manager or the IOS Release field on the switch status tab located in the RSLogix 5000 Stratix Add on Profile.

RISK MITIGATION
For details and recommended action to mitigate this security vulnerability in products that contain the affected IOS, go to the following Cisco web site.

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

Where feasible, use a unique and complex password for products so as to help reduce the risk that multiple products could be compromised as a result of a single password becoming learned.
Where feasible, adopt password management practices to periodically change product passwords to help mitigate risk for passwords to remain usable for an extended period of time.
Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Critical

PN561 | PN561 | Client Software Authentication Security Vulnerability in MicroLogix™ Controllers

Published Date:

March 19, 2013

Last Updated:

March 19, 2013

Products:

MicroLogix Controllers

CVSS Scores:

10

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Client Software Authentication Security Vulnerability in MicroLogix™ Controllers

Description

Original disclosure: December 18, 2009

Updated: January 20, 2010

Updated: March 19, 2013 - version 1.0 (see below)

Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by the MicroLogix™ family of programmable controllers. This vulnerability is known to affect the MicroLogix family of controller platforms, including catalog numbers: 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, 1766-Lxxxxx (the "Product").

Details of this vulnerability are as follows:

The potential exists for a highly skilled, unauthorized person with specific tools, know-how and access to the Product or the control system communication link, to intercept data communications between the product and any authorized programming and configuration client to RSEmulate the role of a trusted software client to potentially make unauthorized changes to the Product’s operation.

Added: 20 Jan 2010

RISK MITIGATION

Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful exploitation of the vulnerability.

MicroLogix 1400

Catalog Number

Description

Affected Products

Corrective Firmware

1766-L32xxxx

MicroLogix 1400 controller

Series B FRN 11 or earlier

FRN 12 or higher

Current firmware for MicroLogix can be obtained here:

http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

Added: 19 March 2013

Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.

In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.

NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.

For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):

Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.

Enable static protection on all critical data table files to prevent any remote data changes to critical data.

Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

In addition to these immediate risk mitigation strategies, Rockwell Automation is addressing this potential security vulnerability in the Product and associated programming and configuration software. Lastly, Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Released

Critical

PN690 | PN690 | EtherNet/IP™ Product Vulnerabilities

Published Date:

January 03, 2013

Last Updated:

January 13, 2025

CVE IDs:

CVE-2012-6439, CVE-2012-6441, CVE-2012-6442 , CVE-2012-6438, CVE-2012-6437

Products:

Ethernet/IP Network

CVSS Scores:

10.0, 7.8, 8.5

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Introduction

EtherNet/IP™ Product Vulnerabilities

Description

January 3, 2013 - version 1.0

Update to January 31, 2012

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley 1756-ENBT communication module. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

Rockwell Automation has released firmware to address two of the product vulnerabilities affecting specific controller, communication modules and adapters.

VULNERABILITY DETAILS

CVE-2012-6439

A Denial of Service (DOS) condition may result when an affected product receives valid CIP message that changes the product’s configuration and network parameters. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system.
<Update B>

Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.

CVE-2012-6441

An Information Disclosure of product-specific information unintended for normal use results when the affected product receives a specially crafted CIP packet.

CVE-2012-6442

A Denial of Service (DOS) condition results when affected product receives a valid CIP message that instructs the product to reset. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a temporary disruption of communication to other products in controller platform or system.

Rockwell Automation continues to investigate potential mitigations to this vulnerability that maintain compliance to EtherNet/IP specification.

CVE-2012-6438

A Denial of Service (DOS) condition and a product recoverable fault results when affected product receives a malformed CIP packet. Receipt of such a message from an unauthorized source has will cause a disruption of communication to other products in controller platform or system. Recovery from a successful exploitation of this vulnerability requires the product to be reset via power cycle to the chassis or removal-reinsertion of module.

CVE-2012-6437

The potential exists for the affected product to accept an altered or corrupted firmware image during its upgrade process that may render the product inoperable or change its otherwise normal operation. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption of communication to other products in controller platform or system. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the product for other malicious activities.

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:

CVE-2012-6439

All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.

CVE-2012-6441

1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules

Note: Further evaluation has reduced the list of products affected by this vulnerability.

CVE-2012-6442

All EtherNet/IP products that conform to the CIP and EtherNet/IP specifications.

CVE-2012-6438

1756-ENBT, 1756-EWEB, 1768-ENBT, 1768-EWEB communication modules
CompactLogix L32E and L35E controllers
1788-ENBT FLEXLogix adapter
1794-AENTR FLEX I/O EtherNet/IP adapter

<Update E>

Note: Evaluations continue to determine additional products that may be affected.

<Update E>

CVE-2012-6437

Products that do not support Rockwell Automation digital signature-based firmware validation

RISK MITIGATION

To help reduce the likelihood of compromise and the associated security risks, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

CVE-2012-6439 and CVE-2012-6442 Mitigations

1. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

2. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the specific vulnerabilities:

CIP Ethernet configuration service
Messages sent to CIP Class code: 0xc0 with Service code: 0x97 service
CIP reset service

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

Vulnerabilities CVE-2012-6441 and CVE-2012-6438: Mitigations

Communication Modules and Adapters

Catalog Number

Description

Affected Products

New Firmware

1756-ENBT

EtherNet/IP modules for ControlLogix platform

All firmware revisions prior to 6.005

6.005

1756-EWEB

Ethernet Webserver module for ControlLogix platform

All firmware revisions prior to 4.016
Note: Updated 2 Jan 2013

4.016
Note: Updated 2 Jan 2013

1768-ENBT

EtherNet/IP modules for CompactLogix platform

All firmware revisions prior to 4.004
Note: Updated 2 Jan 2013

4.004
Note: Updated 2 Jan 2013

1768-EWEB

Ethernet Webserver module for CompactLogix platform

All firmware revisions prior to 2.005

2.005
Note: Updated 3 Jan 2013

1788-ENBT

FLEXLogix EtherNet/IP adapter

Evaluations continue

Evaluations continue

Controllers

Catalog Number

Description

Affected Products

New Firmware

CompactLogix L32E

CompactLogix Controller

All firmware revisions prior to 20.012

20.012

CompactLogix L35E

CompactLogix Controller

All firmware revisions prior to 20.012

20.012

Distributed I/O

1794-AENTR

FLEX I/O EtherNet/IP adapter

Evaluations continue

Evaluations continue

Find Downloads at:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx

CVE-2012-6437: Mitigations

At this time, Rockwell Automation continues to evaluate the technical feasibility of enhancing the 1756-ENBT to include a digital signature validation mechanism on firmware.

In lieu of this capability, concerned customers are recommended to employ good security design practices in their network architecture and also consider using the more contemporary 1756-EN2T EtherNet/IP communication modules for the ControlLogix platform.

The capability for the 1756-EN2T to validate digital signatures has been introduced in the below product release:

Catalog Number	Description	New Firmware
1756-EN2T	EtherNet/IP modules for ControlLogix platform that support digital signature validation on firmware	5.028

Find Downloads at:

http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx

Other Rockwell Automation products:

1. Obtain product firmware only from trusted manufacturer sources.

2. Use only Rockwell Automation issued tools to perform product firmware upgrades.

3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

4. Refer to AID:433319 and AID:43320 for similar, previously released advisories that include recommended similar mitigation strategies.

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.

3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.

6. Make sure that software and control system device firmware is patched to current releases.

7. Periodically change passwords in control system components and infrastructure devices.

8. Where applicable, set the controller key-switch/mode-switch to RUN mode

9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

.

KCS Status

Released

PN753 | PN753 | Vulnerability claims relating to FactoryTalk Services and RSLogix 5000 Software

Published Date:

November 29, 2012

Last Updated:

November 29, 2012

Products:

Logix Designer

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

Vulnerability claims relating to FactoryTalk Services and RSLogix 5000 Software

Description

November 29, 2012 - version 1.0

On November 25, 2012, Exodus Intelligence, Inc. (Exodus) disclosed a limited amount of information relating to purported vulnerabilities in some Rockwell Automation products. In addition, they identified associated risks relating to third-party software that is included with the Rockwell Automation product installation. As a result of this information disclosure, Rockwell Automation’s Security Taskforce independently reached out to Exodus to request greater details to help us validate these claims and assess risk so we could rapidly establish a responsible risk mitigation strategy for our customers.

On November 28, 2012, Exodus provided greater details of their findings directly to Rockwell Automation. This included specific information about affected products, product versions and also proof-of-concept exploitation code that demonstrates the particular product weaknesses. With our receipt of this information, Rockwell Automation launched a detailed technical evaluation of the claims and we further expanded our preparations to support our customers in risk remediation activities, if such actions should become necessary.

As a result of Rockwell Automation’s technical evaluations, the vulnerability claims made by Exodus have been validated and verified to affect an older version of a component of the Rockwell Automation FactoryTalk services platform. The particular affected component had been previously identified and has since evolved to already remove any risk associated with Exodus’ findings.

Rockwell Automation’s Security Taskforce evaluations specifically determined:

One vulnerability identified by Exodus was a re-discovery of a previous known anomaly in a component version of a software service. Rockwell Automation addressed this vulnerability via software patch first issued on October 4, 2011. In addition to releasing the patch, specific process improvement steps were put in place to remove risk of re-introducing the anomaly in subsequent product releases.
A second vulnerability identified by Exodus had already been internally identified and isolated by Rockwell Automation as a result of our ongoing code review processes within our Security Development Lifecycle (SDL). This vulnerability was similarly addressed in the same above product patch issued on October 4, 2011. Similar process improvement steps were put in place at that time to avoid potential to carry the anomaly forward in newer software releases.

For specifics relating to the publicized vulnerabilities and resulting patch, refer to: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144

Exodus’ observation is accurate that Rockwell Automation software installations sometimes include third-party content such as Adobe® Reader. Such software is often included as a convenience for customers who may lack immediate access to the Internet to obtain a PDF viewer necessary to read certain electronic documentation included with our products.

In July 2008, at the time of the particular Rockwell Automation RSLogix 5000 product release evaluated by Exodus, Adobe® Reader Version 8 was a current version of PDF reader software. Since our initial product release, our subsequent software releases and master installation files have undergone numerous incremental and major revisions. These incremental product releases lead to the ongoing creation of newer software master installs which, where possible include more-current third-party content such as Adobe Reader. A customer who acquires today the particular 2008 release of RSLogix 5000 software from Rockwell Automation receives a software installation that includes more contemporary versions of third-party content, e.g. Adobe Reader X (Version 10).

We continue to encourage all customers to be proactive and stay current where possible with software patches and new product releases for all software used in their control systems.

CONTINUOUS IMPROVEMENT AND MATURITY MODEL

Rockwell Automation shares in the same concerns as our customers, product users, security research community and the public at large with regard to the industrial control system security.

We continue to make significant investment in our product development and testing processes and also provide relevant product and system security features to our customers to help protect assets, information and operational integrity.
Our internal Security Development Lifecycle (SDL) continues to mature and demonstrate tangible value to help proactively address potential product and system design weaknesses.
We parallel our product security developments, testing and overall SDL investments with added lessons learned from our formal approach to product security Threat Management and Incident Response.

These combined efforts and others result in a maturity model allowing for continuous improvements in our contemporary solution that successfully enhance product and system security. Where technically feasible, some of these same improvements are also made available for many legacy products and systems too.

ADDED RECOMMENDATIONS FOR RISK MITIGATION

Rockwell Automation advocates that all industrial control system asset owners invest to assess security risks in their automation systems and take appropriate measures to reduce known risks to an acceptable level. A balance of both technical and non-technical measures comprises a successful Security Program, therefore risk-reducing compensating controls should include a combination of careful product selection, network and infrastructure design and installation, maintenance and upgrade planning and consistent personnel training complemented by structured policies and procedures for employees to follow.

In particular, keeping software and hardware products and system components up to date remains a key imperative to help maintain and enhance the security posture of industrial control systems. The following links provide basic foundational information on security best practices proven suitable for all control systems:

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Released

Medium

PN750 | PN750 | FactoryTalk® Historian SE Security Vulnerability from PI OPC DA software interface

Published Date:

November 02, 2012

Last Updated:

November 02, 2012

Products:

FactoryTalk Historian SE

CVSS Scores:

6.3

Known Exploited Vulnerability (KEV):

No

Corrected:

No

Workaround:

No

More Details Less Details

Introduction

FactoryTalk® Historian SE Security Vulnerability from PI OPC DA software interface

Description

November 2, 2012 - version 1.0

In response to the ICS-CERT Advisory ICSA-12-201-01 – OSISOFT PI OPC DA INTERFACE BUFFER OVEFLOW, Rockwell Automation’s Security Taskforce conducted a thorough evaluation of Rockwell Automation products that include, or make use of the affected OSIsoft PI OPC DA interface software.

AFFECTED PRODUCTS
As a result of Rockwell Automation’s evaluation, we have determined the following Rockwell Software-brand product includes, and makes use of the OSIsoft PI OPC DA software interface:

FactoryTalk™ Historian SE versions 2.10.00, 2.20.00 and 3.00.00

VULNERABILITY DETAILS
Per ICSA-12-201-01, OSIsoft, LLC proactively disclosed the presence of "a stack-based buffer overflow in the PI OPC DA interface software that could cause the software to crash or allow a remote attacker to execute arbitrary code." Furthermore, "Successful exploitation of this vulnerability could allow a remote, authenticated attacker to execute arbitrary code on a vulnerable system."

Rockwell Automation includes and installs the PI OPC DA interface software with FactoryTalk™ Historian SE; however, this interface is NOT configured and it is NOT running by default. When the PI OPC DA interface software that has been included with the install is used for OPC communications, it is similarly susceptible to the above mentioned stack-based vulnerability and the system-wide effects of successful exploitation of the weakness.

RISK MITIGATION
ICSA-12-201-01 states, "OSIsoft has published a customer notification, and has released a product update that resolves this vulnerability." This release applies specifically to OSIsoft PI OPC DA software.

Rockwell Automation has validated this OSIsoft product update and taken similar measures to proactively release a product update for affected Rockwell Software FactoryTalk Historian SE versions. The software update and associated installation instructions can be found in the Rockwell Automation Knowledgebase at:

AID: 509721 - https://rockwellautomation.custhelp.com/app/answers/detail/a_id/509721

NOTE: We recognize that not all FactoryTalk Historian SE users employ the OPC interface; nonetheless, Rockwell Automation still recommends the above software update be applied to affected software to help mitigate potential future risk should the interface software be used at a later time.

In addition to applying the above software update to affected products, Rockwell Automation’s Security Taskforce recommends concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/security

KCS Status

Released

High

PN691 | PN691 | Rockwell Automation Logix™ Controller Vulnerabilities

Published Date:

July 18, 2012

Last Updated:

January 13, 2025

CVE IDs:

CVE-2012-6436, CVE-2012-6435

Products:

ControlLogix, CompactLogix, GuardLogix, SoftLogix

CVSS Scores:

7.8

Known Exploited Vulnerability (KEV):

No

Corrected:

Yes

Workaround:

Yes

More Details Less Details

Introduction

Description

July 18, 2012 - version 1.0

Update to December 4, 2013

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley ControlLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

Vulnerability #1 has been addressed in Logix release V16.023 / V20.011 and higher.

Controller firmware issued with Logix release V16.023 / V20.012 and higher addresses the product vulnerability (see Vulnerability #2 below) in affected ControlLogix and GuardLogix controllers.

VULNERABILITY DETAILS

CVE-2012-6436

A Denial of Service (DOS) condition results when an affected controller receives a malformed CIP packet that causes the controller to enter a fault state requiring the reloading of the user program. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.

CVE-2012-6435

A Denial of Service (DOS) condition results when an affected controller receives a valid CIP message that instructs the controller to stop logic execution and enter a fault state requiring the reloading of the user program. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:

CVE-2012-6436

Version 18 and prior releases of ControlLogix, CompactLogix, GuardLogix and SoftLogix

NOTES: This vulnerability does not exist in controller products using V19 and higher.

CVE-2012-6435

Version 19 and prior releases of CompactLogix and SoftLogix controllers
Version 20 and prior releases of ControlLogix and GuardLogix controllers

RISK MITIGATION

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

CVE-2012-6436 Mitigation

Where possible, we recommend users upgrade affected products to Logix release V20 and higher.

CVE-2012-6435 Mitigations

1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix release V20 and higher.

2. Where possible, upgrade ControlLogix and GuardLogix to Logix firmware release v20.012 or higher.

3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

4. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the CIP stop service.

NOTE: Rockwell Automation continues to investigate and evaluate other ControlLogix controller product-level strategies to address this vulnerability.