Version 1.1 - January 31, 2020
Version 1.0 - January 17, 2020
Executive Summary
On Tuesday, January 14, 2020, Microsoft issued a patch and advisory addressing a major crypto vulnerability affecting Windows 10, Windows 10 IoT Core and Enterprise, and Windows Server 2016 and 2019. This vulnerability, identified as CVE-2020-0601, is also being referred to as "CurveBall," and is a vulnerability that exists in the way Crypt.32.dll validates Elliptic Curve Cryptography (ECC) certificates. This vulnerability breaks the chain of trust and could allow an attacker to sign a malicious executable, allow interception and modification of TLS-encrypted traffic, or spoof Authenticode code signing certificates. The National Security Agency (NSA) coordinated the information and release of this vulnerability with Microsoft.
The Rockwell Automation® Product Security Incident Response Team (PSIRT) has been tracking this vulnerability since its release. At the time of writing, Rockwell Automation products are not being directly targeted, but are impacted by vulnerable Windows 10 IoT installations. Please see the Affected Products for a full list of potentially affected Rockwell Automation products.
An investigation is ongoing. Currently, Rockwell Automation is working to address these vulnerabilities and will continue to provide updates as information becomes available.
Affected Products
Microsoft Windows 10 IoT Core and Enterprise editions are impacted by this vulnerability. At of the time of publishing, the following Rockwell Automation products are impacted by CVE-2020-0601:
- CompactLogix 5480 Controllers
- FactoryTalk Analytics for Devices
- FactoryTalk Analytics LogixAI
- ControlLogix Compute Module (1756-CMS1B1)
Vulnerability Details
CVE: 2020-0601: Windows CryptoAPI Spoofing Vulnerability
Description: A vulnerability exists in the way Windows CryptoAPI validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.
- Microsoft Assigned CVSSv3.0 Base Score: 8.1
- Microsoft Assigned CVSSv3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Risk Mitigation & User Action
Customers should understand their potential exposure to this vulnerability by completing a thorough asset inventory and assessment.
| Vulnerability | Rockwell Automation Product | Suggested Actions |
| CVE-2020-0601 |
| Microsoft released a patch for affected versions of Windows on January 14, 2020. |
| CVE-2020-0601 |
| Install the Microsoft Cumulative Security Updates on FactoryTalk Analytics LogixAI, refer to QA58887. |
Otherwise, Rockwell Automation will provide a firmware update for the products noted. Patches are not yet available for these products. When the patches are available, this article will be updated.
| Vulnerability | Rockwell Automation Product | Suggested Actions |
| CVE-2020-0601 |
| To reduce risk, customers should ensure they are employing proper network segmentation and security controls. |
Customers using Rockwell Automation industrial compute solutions, such as VersaView computers, Industrial Data Centers, etc, are recommended to regularly inventory and patch their host operating systems.
Update on 1/31/2020: Rockwell Automation MS Patch Qualification team successfully qualified the Microsoft patch related to Curveball. Full results and other useful information can be found here.
General Security Guidelines
- Utilize proper network infrastructure controls, such as firewalls, to help ensure that communications from unauthorized sources are blocked.
- Use trusted software, software patches, antivirus/antimalware programs, and interact only with trusted web sites and attachments.
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.
Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
