Severity:
Low,
Critical,
Medium
Advisory ID:
PN1508
Published Date:
November 01, 2022
Last Updated:
November 20, 2024
Revision Number:
5.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
Yes
CVE IDs
CVE-2020-11914,
CVE-2020-11910,
CVE-2020-11901,
CVE-2020-11907,
CVE-2020-11911,
CVE-2020-11912,
CVE-2020-25066,
CVE-2020-11906
Summary
Treck Ripple20 TCP/IP Vulnerabilities Affect Multiple Rockwell Automation Products
Revision Number
6.0
Revision History
Version 6.0 – August 13, 2024. Updated affected products list and user actions
Version 5.0 – November 1, 2022. Added patch information for additional products
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.
Version 4.0 – May 17, 2022. Updated patch information for PowerFlex 755T and 6000T
Version 3.0 – February 9, 2021. Updated for ICSA-20-353-01.
Version 2.1 - January 13, 2021. Updated to reflect additional disclosure.
Version 2.0 - July 15, 2020. Updated table to reflect affected products and versions.
Version 1.0 - June 16, 2020. Initial Release.
Executive Summary
Treck, a real-time embedded Internet Protocol software vendor, reported several vulnerabilities (named "Ripple20") to Rockwell Automation that were discovered by security researchers at JSOF, a security vendor and research organization. The embedded TCP/IP stack (versions earlier than 6.0.1.66) from Treck is used by many different technology vendors including Rockwell Automation. These vulnerabilities, if successfully exploited, may result in remote code execution, denial-of-service, or sensitive information disclosure.
Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0
Since this disclosure is part of a large multi-party coordination effort with the CERT/CC
Begin Update 3.0
On December 18, 2020, Treck reported four additional vulnerabilities that were discovered by security researchers at Intel. The following components of the embedded TCP/IP stack (versions 6.0.1.67 and prior) are affected: HTTP Server, IPv6, and DCHPv6. These vulnerabilities, if successfully exploited, may result in denial-of-service conditions or remote code execution.
End Update 3.0
Since this disclosure is part of a large multi-party coordination effort with the CERT/CC
and ICS-CERT, not every vulnerability reported by Treck impacts Rockwell Automation. Please see the table under Affected Products for a full list of the affected Rockwell Automation products and the corresponding CVE ID.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Customers using affected products are encouraged to evaluate their own systems and apply the appropriate risk mitigations from those listed below. Additional details relating to the discovered vulnerabilities and recommended countermeasures, are provided herein.
Affected Products
| Affected Product Family | Affected Versions | CVE-2020-XXXXX | ||||||||||||||||||
| 11896 |
11897 | 11898 | 11899 | 11900 | 11901 | 11902 | 11903 | 11904 | 11905 | 11906 | 11907 | 11908 | 11909 | 11910 | 11911 | 11912 | 11913 | 11914 | ||
| 5094-AEN2SFPR/XT 5094-AEN2TR/XT 5094-AENSFPR/XT 5094-AENTR/XT |
1.011-4.011 | X | X | X | X | X | X | |||||||||||||
| 5069-AENTR | 3.011-4.011 | X | X | X | X | X | X | |||||||||||||
| 1734-AENT/R | 4.001- 6.012 | X | X | X | X | X | X | |||||||||||||
| 1738-AENT/R | 4.001- 6.012 | X | X | X | X | X | X | |||||||||||||
| 1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R |
2.011-2.012 | X | X | X | X | X | X | |||||||||||||
| 1791ES-ID2SSIR | 1.001 | |||||||||||||||||||
| 1799ER-IQ10XOQ10 | 2.011 | X | X | X | X | X | X | |||||||||||||
| 1794-AENTR/XT | 1.011-1.017 | X | X | X | X | X | X | |||||||||||||
| 1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR |
1.011-1.015 | X | X | X | X | X | X | |||||||||||||
| 1732E-16CFGM12P5QCWR |
1.011-2.011 | X | X | X | X | X | X | |||||||||||||
| PowerMonitor™ 5000 | 4.19 | X | X | X | X | X | X | X | ||||||||||||
| PowerMonitor 1000 | 4.10 | X | X | X | X | X | X | X | ||||||||||||
| ArmorStart® ST+ Motor Controller | 1.001 | X | X | X | X | X | ||||||||||||||
| Kinetix 5500 | All* | X | X | X | X | X | X | |||||||||||||
| Kinetix® 5700 | All* | X | X | X | X | X | X | |||||||||||||
| Kinetix 5100 | 1.001 | X | X | X | X | X | X | |||||||||||||
| PowerFlex 755T PowerFlex 6000T |
All* | X | X | X | X | X | ||||||||||||||
| CIP Safety™ Encoder | All* | X | X | X | X | X | ||||||||||||||
Begin Update 3.0:
| Affected Product Family | Affected Versions | CVE |
| 1734-AENT/R | 4.001- 6.012 | CVE-2020-25066 |
| 1738-AENT/R | 4.001- 6.012 | CVE-2020-25066 |
| 1794-AENTR 1794-AENTR/XT |
1.011- 1.017 | CVE-2020-25066 |
| 1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R |
2.011-2.012 | CVE-2020-25066 |
| 1799ER-IQ10XOQ10 | 2.011 | CVE-2020-25066 |
| 1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR |
1.011-1.015 | CVE-2020-25066 |
| 1732E-16CFGM12P5QCWR | 1.011-2.011 | CVE-2020-25066 |
| PowerMonitor™ 5000 | 4.19 | CVE-2020-25066 |
| PowerMonitor 1000 | 4.10 | CVE-2020-25066 |
Begin Update 6.0
Affected Product Family
|
Affected Versions
|
CVE
|
PowerFlex 527
|
all
|
CVE-2020-25066
|
End Update 6.0
Vulnerability Details
Begin Update 3.0:
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.
CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0
CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.
CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.
CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.
CVE-2020-25066
A vulnerability in the Treck HTTP Server components allow an attacker to cause denial-of-service condition. This vulnerability may also result in arbitrary code execution.
CVSSv3.1 Score: 9.8/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
End Update 3.0
CVE-2020-11901
There is an improper input validation issue in the DNS resolver component when handling a sent packet. A remote, unauthenticated attacker may be able to inject arbitrary code on the target system using a maliciously crafted packet.
CVSSv3.1 Score: 9.1/CRITICAL
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11906
There is an improper input validation issue in the Ethernet Link Layer component. An adjacent, unauthenticated attacker can send a malicious Ethernet packet that can trigger an integer underflow event leading to a crash or segment fault on the target device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11907
There is an improper handling of length parameter consistency issue in the TCP component. A remote, unauthenticated, attacker can send a malformed TCP packet that can trigger an integer underflow event leading to a crash or segmentation fault on the device.
CVSSv3.1 Score: 5.0/MEDIUM
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE-2020-11910
There is an improper input validation issue in the ICMPv4 component. A remote, unauthenticated attacker can send a malicious packet that may expose data present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11911
There is an improper access control issue in the ICPMv4 component. A remote, unauthenticated attacker can send a malicious packet that can lead to higher privileges in permissions assignments for some critical resources on the destination device.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2020-11912
There is an improper input validation issue in the IPv6 component. A remote, unauthenticated attacker can send a malicious packet that may expose some data that is present outside the bounds of allocated memory.
CVSSv3.1 Score: 3.7/LOW
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2020-11914
There is an improper input validation issue in the ARP component. An unauthenticated, local attacker can send a malicious Layer-2 ARP packet that could lead to unintended exposure of some sensitive information on the target device.
CVSSv3.1 Score: 3.1/LOW
CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Update 2.1: Rockwell Automation is aware of the additional Treck TCP/IP Stack vulnerabilities disclosed (ICSA-20-353-01). Potential impact of these vulnerabilties is currently being investigated and this advisory will be updated when the investigation concludes.
Risk Mitigation & User Action
Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as these fixes become available. Please subscribe to updates to this advisory and the Industrial Security Advisory Index (Knowledgebase ID 54102) to stay notified.
Begin Update 3.0:
End Update 3.0
Available Fixes:
Update 4.0 May 17, 2022
Update 5.0 November 1, 2022
| CVE | Suggested Actions |
CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11914 |
For successful exploitation, these vulnerabilities require malformed TCP/IP packets to reach the destination device and an active network connection. To reduce risk, customers should ensure they are employing proper network segmentation and security controls. Specifically, network exposure for all control system devices should be minimized, and control systems should be behind firewalls and isolated from other networks when possible. Refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide for best practices deploying network segmentation and broader defense-in-depth strategies. The CERT/CC has provided IDS rules to support additional mitigations for these vulnerabilities. These rules can be found on their Github page. ICS-CERT has provided additional network mitigations in their public disclosure. |
Begin Update 3.0:
| CVE | Suggested Actions |
| CVE-2020-25066 | Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header. ICS-CERT has provided additional network mitigations in their public disclosure. |
Available Fixes:
Update 4.0 May 17, 2022
| CVE | Affected Product | Suggested Actions |
|---|---|---|
| CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 |
5069-AENTR | Apply firmware v4.012 or later (Download). |
| CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 |
5094-AEN2SFPR/XT 5094-AEN2TR/XT 5094-AENSFPR/XT 5094-AENTR/XT |
Apply firmware v5.012 or later (Download). |
| CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 CVE-2020-11914 |
Kinetix 5700 | Apply v13 or later (Download). |
| CVE-2020-11901 CVE-2020-11906 CVE-2020-11907 CVE-2020-11910 CVE-2020-11911 CVE-2020-11912 |
PowerFlex 755T PowerFlex 6000T |
Apply 6.005 or later for PF755T. Apply R8 or later for PF6000T. (Download) |
Update 5.0 November 1, 2022
| CVE | Affected Product Family | Suggested Actions |
| CVE-2020-25066 | 1734-AENT/R | Apply firmware 7.011 or later. |
| 1738-AENT/R | Apply firmware 6.011 or later. | |
| 1794-AENTR 1794-AENTR/XT |
Apply firmware 2.011 or later. | |
| 1732E-16CFGM12R 1732E-8X8M12DR 1732E-IB16M12DR 1732E-IB16M12R 1732E-OB16M12DR 1732E-OB16M12R |
Apply firmware 3.011 or later. | |
| 1799ER-IQ10XOQ10 | Apply firmware 3.011 or lter. | |
| 1732E-12X4M12QCDR 1732E-16CFGM12QCR 1732E-16CFGM12QCWR 1732E-12X4M12P5QCDR 1732E-16CFGM12P5QCR |
Apply firmware 3.011 or later. | |
| 1732E-16CFGM12P5QCWR | Apply firmware 3.011 or later. |
Update Begin 6.0
CVE-2020-25066
|
PowerFlex 527
|
Follow suggested actions above and, when possible, implement firewall rules to filter out packets that contain a negative content length in the HTTP header.
|
End Update Begin 6.0
General Security Guidelines
Network-based Vulnerability Mitigations for Embedded Products
Software/PC-based Mitigation Strategies
General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that ICMPv4, TCP, ARP and DNS traffic originating from unauthorized sources is blocked.
- Ensure that software-based firewalls are running with current rule sets and enforced on individual systems.
Software/PC-based Mitigation Strategies
- Use of Microsoft® AppLocker or other similar whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation® products is available at QA17329 - Using Rockwell Automation Software Products with AppLocker
- Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum number of rights as needed.
General Mitigations
Use trusted software, software patches antivirus/antimalware programs and interact only with trusted websites
and attachments.
- Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
- Locate control system networks and devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
See our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
Copyright ©2022 Rockwell Automation, Inc.