Severity: 
                            
                            
                                        
                                        High
                                    
                                
                            
                                Advisory ID: 
                            
                            
                                PN1541
                            
                        
                                Published Date: 
                            
                            
                                January 11, 2021
                            
                        
                                Last Updated: 
                            
                            
                                January 11, 2021
                            
                        
                                Revision Number: 
                            
                            
                                1.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                No
                            
                        
                                Corrected: 
                            
                            
                                No
                            
                        
                                Workaround: 
                            
                            
                                No
                            
                        
                            CVE IDs
                        
                        
                                    
                                    CVE-2020-12525
                                
                            
                        
                    Summary
                
                
                    FactoryTalk AssetCentre affected by M and M Software fdtCONTAINER Remote Code Execution Vulnerability
                
              Revision History 
   Revision Number 
   1.0 
   Revision History 
   January 11, 2021. Initial Version. 
 Executive Summary
  Rockwell Automation received a report from M&M Software regarding vulnerabilities in the fdtCONTAINER component. fdtCONTAINER is distributed as part of FactoryTalk® AssetCentre software. If successfully exploited, this vulnerability may result in remote code execution.
 
This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).
 
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
 This vulnerability does not impact FactoryTalk AssetCentre users who have not purchased the Process Device Configuration (SKU: 9515-ASTPRD*) capability or Calibration Management capability (SKU: 9515-ASTCAL*).
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their deployed products. Additional details relating to the discovered vulnerability, including affected products and recommended countermeasures, are provided herein.
Affected Products
  FactoryTalk AssetCentre v9.00.00 and below with Process Device Configuration or Calibration Management capabilitiy.
 
 Vulnerability Details
 CVE-2020-12525: Deserialization of Untrusted Data May Result in Remote Code Execution
A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.
 
CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
 A deserialization vulnerability exists in the ftdCONTAINER component in FactoryTalk AssetCentre. This vulnerability could be exploited via a phishing attack in which an attacker sends a specially crafted project file to a local user. When the malicious project file is opened by the local user, it may execute malicious code with the user rights of FactoryTalk AssetCentre.
CVSS v3.1 Base Score: 8.6/10 [HIGH]
CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
  Customers using the affected versions of FactoryTalk AssetCentre are encouraged to update to an available software revision that addresses the associated risk. Customers who are unable to update are directed towards risk mitigation strategies provided below and are encouraged, when possible, to combine these with the general security guidelines to employ multiple strategies simultaneously.
   
 
 
To deny access to PDC Field Edition:
 | Vulnerability | Suggested Actions | 
| CVE-2020-12525 | Deny access to PDC Field Edition. To do this, follow the steps below. | 
To deny access to PDC Field Edition:
- Open FactoryTalk Admin Console
- Select “System”
- Select “Policies”
- Select “FactoryTalk AssetCentre”
- Open “Feature Security Properties”
- Locate “Run PDC Field Edition” under “Process Device Configuration Policies” and select the ellipses (…) next to “Configure Security”.
- Select the “Deny” Checkboxes for “Administrators” and “All Users”
- Select “OK”
- Select “Apply”
General Security Guidelines
 Network-based Vulnerability Mitigations for Embedded Products 
Software/PC-based Mitigation Strategies
Social Engineering Mitigation Strategies
General Mitigations
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
 
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
 
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
 
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
 
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
 
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
 
ADDITIONAL LINKS
 - Utilize proper network infrastructure controls, such as firewalls, to help ensure that traffic from unauthorized sources are blocked.
- Block all traffic to EtherNet/IP™ or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, UTM devices or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
Software/PC-based Mitigation Strategies
- Do not use standalone PDC Field Edition
- Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
- Use Microsoft® AppLocker or another similar allow list application to help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID 546989.
- Confirm that the least-privilege user principle is followed and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.
Social Engineering Mitigation Strategies
- Do not open untrusted files with FactoryTalk AssetCentre.
- Do not click or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
General Mitigations
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
- Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation at 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.